Acm 6.38.0 Admin Guide en

Admin Guide
Access Control Manager™

Version 6.38.0
© 2016 - 2022, Motorola Solutions, Inc. All rights reserved. MOTOROLA, MOTO, MOTOROLA SOLUTIONS,
and the Stylized M Logo are trademarks or registered trademarks of Motorola Trademark Holdings, LLC and
are used under license. AVIGILON, the AVIGILON logo, AVIGILON CONTROL CENTER, ACC, ACCESS
CONTROL MANAGER, ACM and ACM VERIFY are trademarks of Avigilon Corporation. Digital Monitoring
Products® is a registered trademark of Digital Monitoring Products. Remote Link is a trademark of Digital
Monitoring Products, Incorporated. HID, HID GLOBAL, HID Mercury, HID Mobile Access, APERIO and VERTX
are trademarks or registered trademarks of HID Global, ASSA ABLOY AB, or its affiliate(s) in the US and other
countries. Allegion, ENGAGE technology and Schlage are trademarks of Allegion plc, its subsidiaries and/or
affiliates in the United States and other countries. Linux is a registered trademark of Linus Torvald in the US
and other countries. Firefox is a trademark of the Mozilla Foundation in the US and other countries. Other
names or logos mentioned herein may be the trademarks of their respective owners. The absence of the
symbols ™ and ® in proximity to each trademark in this document or at all is not a disclaimer of ownership of
the related trademark.
This document has been compiled and published using product descriptions and specifications available at
the time of publication. The contents of this document and the specifications of the products discussed
herein are subject to change without notice. Motorola Solutions Inc. reserves the right to make any such
changes without notice. Neither Motorola Solutions Inc. nor any of its affiliated companies: (1) guarantees the
completeness or accuracy of the information contained in this document; or (2) is responsible for your use of,
or reliance on, the information. Motorola Solutions Inc. shall not be responsible for any losses or damages
(including consequential damages) caused by reliance on the information presented herein.
Motorola Solutions Inc.

motorolasolutions.com
PDF-ACM-ADM-6.38.0-A
Revision: 1 - EN
20221116
2
Revisions
ACM Release Description
ACM 6.38.0 Events for low system resources:

l Appliance Events on page 515
Bosch intrusion enhancements:

l Clear Alarms button in Monitoring Areas in Bosch Intrusion Systems
on page 58
DMP intrusion enhancements:

l Encryption Fails status in Viewing Panels, Areas, Zones and Outputs
on page 61
l Panel Encryption on page 447, Step 1: Connecting to a DMP Intrusion
Panel on page 447
Mercury LED Mode support for OSDP readers:

l LED Modes for Mercury Security on page 322
l Editing LED Modes on page 321
l Mercury Security LED Mode Table page on page 322
OSDP Tracing checkbox for OSDP readers:

l Reader Edit page (Mercury Security) on page 261
l Reader Template: Add page on page 150
l Reader Template: Edit page on page 153
Revisions 3
Table of Contents
Revisions 3
Introduction 23
Logging In 23
Initial Setup 24
Accepting the End User License Agreement 24
Upgrading Your License Format 24
Adding a License 25
Online Licensing 25
Offline Licensing 25
Changing the Administrator Password 26
Creating a Super Admin Identity 26
Monitoring 28
Monitoring Events 28
Pause/Resume Events 29
Clear Events 29
View Live Video 29
View Recorded Video 30
Create Event Notes 30
View Event Notes 31
View Event Instructions 31
View Event Identity Details 31
View Event History 32
Change Events List Settings 32
Reconnect to Events List 32
Searching for Events and Alarms 33
View Camera (Search) 34
View Recorded Video (Search) 34
Create Event Notes (Search) 35
View Event Notes (Search) 35
View Event Instructions (Search) 35
View Event Identity Details (Search) 36
View Event History (Search) 36
Change Transactions List Settings 36
Monitoring Alarms 37
4
Acknowledge Alarms 38
View Live Video (Alarms) 39
View Recorded Video (Alarms) 39
Create Event Notes (Alarms) 39
View Event Notes (Alarms) 40
View Event Instructions (Alarms) 40
View Event Identity Details (Alarms) 41
View Event History (Alarms) 41
Change Alarms List Settings 41
Using the Verification page 42
Verifying Identities at Doors 42
Verification Events List 43
Using the Dashboard 44
Status Colors 46
Appliance Transactions Indicators 47
Device Status 47
Security Status 48
Installing, Uninstalling and Deleting Panels and Subpanels 49
Viewing, Masking and Unmasking Inputs 49
Viewing, Activating and Deactivating Outputs 49
Searching Panel, Subpanel, Input and Door Names 49
Saving Door Filters 50
Controlling Doors 50
Accessing Web Interface of Power Panels 51
Using Map Templates 52
Using a Map 52
Hardware Status 52
Viewing a Map 53
Map Actions 54
Adding Maps 57
Monitoring Bosch Intrusion Panels 57
Monitor Bosch Intrusion Panel Status 57
Monitoring Areas in Bosch Intrusion Systems 58
Viewing Areas 58
Arming Areas 59
Arming Perimeter Areas 59
Disarming Areas 59
5
Silencing Keypad Alarms 59
Clearing Alarms 60
Resetting Sensors 60
Monitor Bosch Intrusion Panel Points 60
Monitor Bosch Intrusion Panel Outputs 61
Monitoring and Controlling DMP Intrusion Systems 61
Viewing Panels, Areas, Zones and Outputs 61
Silencing Keypad Alarms on Panels 62
Resetting Sensors on Panels 62
Arming or Disarming Areas 63
Bypassing Zones and Resetting Bypassed Zones 63
Activating and Deactivating Outputs 64
Identities 65
Configuring HID Mobile Access® Credentials 66
Prerequisites 66
Step 1: Connecting to the HID Origo External System 66
Step 2: Enrolling Identities and Issuing Tokens 67
Issuing a Token to an Enrolled Identity on a Registered Mobile Device 67
Registering a New Mobile Device for an Enrolled Identity 68
Searching for HID Origo Tokens 68
Searching for an Identity 68
Adding an Identity 69
Assigning Roles to Identities 71
Assigning Tokens to Identities 71
Assigning Groups to Identities 72
Deleting a Token 72
Capturing and Uploading Photos of an Identity 73
Creating Badges for Identities 77
Timed Access 78
Adding Timed Access to an Identity 79
Editing Timed Access 80
Deleting Timed Access 80
Editing an Identity 80
Token Fields 81
Managing Roles 87
Configuring Roles 87
6
Adding a Role 87
Editing a Role 88
Assigning an Access Group to a Role 89
Assigning Delegations to a Role 89
Assigning Routing Groups to a Role 89
Assigning Roles 90
Deleting a Role 90
Searching for Roles 91
Role Fields 92
Roles - Access Groups page 93
Roles - Delegate page 93
Roles - Routing page 94
Roles - Assign Roles page 94
Roles - Access page 95
Roles - Audit page 95
Configuring Policies 96
Adding a Policy 96
Editing a Policy 97
Deleting a Policy 97
Policies list 97
Policies - Policy Add page 98
Policies - Policy: Add page 98
Policies - Mercury Security page 99
Policies - Input page 102
Policies - Output page 103
Policies - Audit page 104
Configuring Groups 104
Adding a Group 104
Editing a Group 105
Assigning Policies to Groups 105
Assigning Members to Groups 106
Creating a Hardware Group for Routing 106
Using Policies to Override Hardware Settings 107
Performing an Identity Batch Update 108
Performing a Batch Update from the Identity Profiles page 108
Performing a Batch Update from the Groups page 108
Performing an Identity or Template Batch Update 108
7
Scheduling an Identity or Door Batch Update 109
Deleting a Group 109
Groups list 110
Groups - Group Add page 110
Groups - Group Edit page 110
Groups - Policies page 110
Groups - Members page 111
Groups - Audit page 112
Managing Door Access 112
Adding an Access Group 112
Editing an Access Group 113
Deleting an Access Group 114
Access Groups - Example 114
Searching for Access Groups 115
Access Group Fields 116
Access Groups - Access page 117
Access Groups - Audit page 117
Managing Access in the Application 118
Adding a Delegation 118
Editing a Delegation 119
Adding a Delegation to a Role 119
Deleting a Delegation 119
Delegations list 119
Delegations - Delegation: Edit page 120
Managing a Partitioned ACM System 121
Planning a Partitioned System 122
Configuring a Partitioned ACM System 123
Adding a Partition 124
Editing a Partition 125
Deleting a Partition 125
Partitions - List 125
Partitions - Add page 125
Partitions - Partition Edit page 126
Assigning Partitions to ACM Operators and Entities 126
Routing Events to the Monitor Screen 127
Routing Groups - Introduction 128
8
Adding a Routing Group 128
Editing a Routing Group 129
Assigning a Routing Group to a Role 129
Deleting a Routing Group 130
Routing Groups list 130
Routing Groups - Add page 130
Routing Groups - Schedule page 131
Routing Groups - Event Types page 131
Routing Groups - Groups page 132
Managing Elevator Access 132
Adding an Elevator Access Level 133
Editing an Elevator Access Level 133
Assigning an Elevator Access Level to an Access Group 133
Deleting an Elevator Access Level 134
Elevator Access Levels list 134
Elevator Access Levels - Add page 134
Elevator Access Levels - Elevator Access Level: Edit page 135
Reports 136
Generating Reports 136
Report Preview 136
Editing Reports 137
Editing Audit Log and Transaction Reports 138
Creating Custom Reports 139
Scheduling a Custom Report By Batch Job (Specification) 140
Creating Custom Audit Log and Transaction Reports 141
Physical Access 142

Templates Overview 142
Door Templates 143
Door Templates - Batch Update 144
Door Templates list page 144
Door Templates - Add page 145
Door Templates - Door Template: Edit page 147
Reader Templates 149
Reader Templates list page 150
Reader Template: Add page 150
9
Reader Template: Edit page 153
Input Templates 156
Input Templates list page 157
Input Template: Add page 157
Input Template: Edit page 159
Output Templates 160
Output Templates list page 161
Output Template: Add page 161
Output Template: Edit page 162
Wiring Templates 163
Wiring Templates list page 163
Wiring Template: Add page 164
Wiring Template: Edit page 166
Configuring Panels 167
Searching for Panels 167
Panel Migration 167
Mercury Security EP to LP Panel 167
Adding Panels 168
Configuring the Mercury Security MS Bridge Solution 170
Batch Creating Subpanels on a New Mercury Panel 171
Subpanel: Batch Create page 172
Subpanel: Batch Edit Details page 173
Subpanel: Batch Name Doors or Subpanel: Batch Create Summary page 174
Adding HID VertX® Subpanels 174
Adding Mercury Security Panels 174
Subpanel Fields 174
Subpanel: Batch Add page (VertX®) 175
Editing Panels 176
Editing HID® VertX® Panels 176
Editing Mercury Security Panels 176
177
Panel Card Formats 177
Resetting Anti-Passback from the Panel 177
Downloading Parameters 177
Downloading Tokens 177
Lenel Panel Support 178
Resetting Doors Connected to a Subpanel 178
10
Updating Panel Firmware 179
Updating Panel Time 179
SALTO Panel Status 180
SALTO Panel Configuration 180
Deleting Panels 180
Configuring Subpanels 181
Adding a Subpanel 181
Editing Subpanels 183
Inputs 183
Output Operating Modes 184
Outputs 184
Deleting Subpanels 184
Configuring Locks 185
Supported Devices 185
Configuring ASSA ABLOY™ Aperio® Wireless Lock Technology 186
Configuring Allegion Schlage AD-400 Series Locks 187
Configuring Allegion Schlage LE Series Locks 188
Configuring Allegion Schlage NDE Series Locks 190
Configuring SimonsVoss Wireless Locks 191
Prerequisites 192
Configuring Doors 193
Troubleshooting 195
Door Is Not Online 195
Door Status 195
Macros 195
Adding Macros 196
Editing Macros 196
Deleting Macros 197
Assigning Macros 197
Assigning a Macro to a Trigger 197
Assigning a Macro to a Macro 197
Assigning a Macro to a Door 198
Sorting Macros 198
Triggers 198
Adding Triggers 198
Editing Triggers 199
Deleting Triggers 199
11
Searching for Doors 200
Advanced Filtering on the Doors List 200
Adding Doors 202
Adding Simple Macros 211
Editing Doors 211
Doors - Editing VertX® Doors 212
Doors - Editing Mercury Security Doors 212
Deleting Doors 212
Door Modes 213
Access Types 215
Anti-Passback 215
Anti-Passback Modes 215
Setting Up Anti-Passback 217
Two-Person Minimum Occupancy and Single Door Configuration 218
Granting a Free Pass 220
Global Anti-Passback 221
Global Anti-Passback Modes 221
Interlocks 221
Adding Interlocks 222
Editing Interlocks 222
Doors list 222
Adding Doors 225
Doors - VertX® New Parameters page 234
Doors - Mercury Security New Parameters page 236
Doors - Door: Edit Screen 239
Door: Edit page (VertX® ) 239
Parameters tab (VertX® ) 239
Operations tab (VertX®) 242
Hardware tab (VertX®) 244
Reader Edit page (VertX®) 245
Input Edit page (VertX®) 245
Output Edit page (VertX®) 246
Cameras tab (VertX®) 247
Events tab 248
Doors - Creating Local Events for VertX® Doors 249
Access tab (VertX® ) 251
Transactions tab (VertX® ) 251
12
Door: Edit page (Mercury Security) 252
Parameters tab (Mercury Security) 252
Operations tab (Mercury Security) 256
Hardware tab (Mercury Security) 259
Reader Edit page (Mercury Security) 261
Input Edit page (Mercury Security) 263
Output Edit page (Mercury Security) 264
Elev tab (Mercury Security) 265
Cameras tab (Mercury Security) 265
Configuring and Viewing Live Video Stream 267
Overview 267
Configuring Live Video Stream 267
Interlocks tab (Mercury Security Doors) 268
Interlocks Add page 268
Interlock Edit page 269
Events tab 270
Doors - Creating Local Events for Mercury Security Doors 271
Access tab (Mercury Security) 273
Transactions tab (Mercury Security) 274
Doors - Access page 274
Viewing Door Events, Access Groups and Transactions 274
Configuring ACM Verify™ Virtual Doors 276
Adding an ACM Verify Door 276
Parameters tab (Avigilon) 277
Paired Devices 278
Prerequisites for Pairing Devices 278
Precautions for Paired ACM Verify Stations 279
Pairing a Device 279
Using ACM Verify 280
IP/PoE Mode Installation 281
System Overview 281
Step 1: Creating an ENGAGE Site 283
Step 2: Configuring Gateways for IP Wireless Locks 283
Step 3: Configuring IP Wireless Devices 284
Step 4: Configuring Locking Operation 286
Applying Door Commands 287
Door Scheduling By Batch Job (Specification) 288
Viewing Gateway or Offline Wi-Fi Lock Status 288
13
Viewing Door Status and Events 289
Updating Gateway and Offline Wi-Fi Lock Firmware 291
Offline Wi-Fi Mode Installation 292
Step 2: Setting Up Communication to Offline Wi-Fi Locks 293
Step 3: Configuring Offline Wi-Fi Lock Operation 294
Updating Lock Firmware 296
Deleting Offline Wi-Fi Locks 297
SALTO Door Installation 298
System Overview 298
Prerequisites 299
SALTO Server Installation and Configuration 299
Understanding SALTO and ACM Door Configuration 300
Escape and Return Mode 301
SALTO Ethernet Encoder Configuration 302
Step 1: Connecting to a SALTO Server 302
Step 2: Configuring the SALTO Server 303
Step 3: Syncing Doors with the SALTO Server 304
Step 4: Installing and Configuring Doors 304
Step 5: Creating Identities and Tokens 306
Using Physical and Mobile Keys 307
Editing Tokens — Update Required and Re-edition Required 307
Canceling Keys 309
Downloading All Tokens 310
ASSA ABLOY™ IP Lock Installation 311
System Overview 311
Prerequisites 312
Step 1: Configuring a Door Service Router for IP Locks 313
Step 2: Syncing Doors with the Door Service Router 314
14
Configuring Areas 317
Adding Areas 319
Editing Areas 319
Deleting Areas 319
EOL Resistance 319
Adding EOL Resistance for Mercury Input Points 319
Adding EOL Resistance for VertX® Input Points 320
Editing EOL Resistance for Mercury Input Points 320
Editing EOL Resistance for VertX® Input Points 320
Mercury LED Modes - List page 320
Editing LED Modes 321
Restoring to Default States 321
Mercury Security LED Mode Table page 322
LED Modes for Mercury Security 322
Configuring Card Formats 323
Supported Card Formats 323
Corporate Card Mode for Using Facility Codes 324
Issue Level Numbering for Reusing a Card Number 325
Adding Card Formats 326
Editing Card Formats 326
Deleting Card Formats 327
Card Format Fields 327
Configuring ACM System Events 330
Searching for ACM System Events 330
Customizing ACM System Events 331
Assigning Priority Colors to ACM System Events 331
Global Actions 332
Adding Global Actions 333
Adding a Group of Global Actions 333
Editing Global Actions 334
Types of Global Actions 334
Deleting Global Actions 335
Creating Global Actions and Linkages for Bosch Intrusion System 335
Intrusion panel alarm due to an event in the System 335
Disable and enable doors from keypad 335
Disarm Alarm on Access Grant with restricted authorities 336
Creating Global Actions and Linkages for DMP Intrusion System 336
15
Toggle Arming and Disarming Areas 336
Global Linkages - Introduction 337
Adding Global Linkages 337
Editing Global Linkages 337
Mustering 337
Mustering - Requirements 338
Mustering - Creating a Dashboard 338
Mustering - Using the Dashboard 339
Mustering - Manually Moving Identities 341
Managing Appliances 342

Editing Appliance Settings 342
Deleting an Appliance 342
Configuring Replication and Failover 343
Failover/Redundancy Feature 344
Automatic failover 344
Manual failover and failback 344
Recommended System Architecture 345
System Architecture for Replication 345
System Architecture for Redundancy 346
Replication and Failover Requirements 347
1. Preparing Appliances for Replication and Failover 349
Setting Up the Primary Appliance 349
Setting Up Additional Appliances 350
2. Setting Up Replication Between Appliances 351
Enabling Replication on the Primary Appliance 351
Enabling Replication on the Second Peer or Standby Appliance 352
3. Adding a Replication Subscription 353
Testing Replication 356
Checking the Appliance Replication Status 356
Testing Two-Way Replication 358
4. Setting Up Failover 359
Configuring Email Notifications for Replication Events 361
Removing Replication and Failover 362
Failing Over and Failing Back 363
Automatic Failover 363
Manual Failover 363
Failback 364
16
Monitoring Transactional Replication to Hot Standby 365
Configuring Network Connections 365
Configuring Ethernet Ports 365
Adding Ethernet Routes 366
Enabling Serial Ports 366
Backups 367
Backing Up System Data 367
Manually Backing Up Data 368
Restoring Backups 368
Restoring Backups From Other Backup Events 369
Logs 370
Accessing Appliance Logs 370
Software Updates 371
Updating the Appliance Software 371
SSL Certificates Overview 372
Supported Certificate Standards 372
Viewing the SSL Certificate 373
Creating an SSL Certificate 373
Creating a Certificate Signing Request 373
Uploading an SSL Certificate 374
About Appliances page 374
Adding a License 374
Online Licensing 375
Removing a License 376
Viewing the End User License Agreement 378
About Appliances page 378
Managing Collaborations 379

Adding a Collaboration 379
Adding an Events XML Collaboration 381
Collaborations - Events XML Definitions 382
Collaborations - Events XML Example 385
Editing a Collaboration 387
Supported Collaborations 387
17
Running a Collaboration 388
Previewing the General Identity Collaboration Log 389
Extracting a CSV Zip File 390
Deleting a Collaboration 391
Assigning an Event Type to a Collaboration 391
Setup & Settings 393

Schedules and Holidays Overview 393
Schedules 393
Holidays 394
Searching for Schedules 394
Adding Schedules (Intervals in Schedules) 395
Editing Schedules 397
Deleting Schedules 397
Adding Holidays 397
Editing Holidays 398
Deleting Holidays 398
Examples 398
Example 1: Part-Day Holiday 398
Example 2: Additional Access Time 399
Event Types - Introduction 400
Adding Event Types 403
Editing Event Types 403
Deleting Event Types 403
User Forms Overview 403
Adding and Customizing Tabs with User Forms 404
Assigning Tabs to Identities with User Forms 405
Editing User Forms 406
Deleting User Forms 406
User Defined Fields - Introduction 406
Adding a Field for User Forms, Tabs and Lists 407
Adding and Assigning Tabs to Identities with User Fields 407
Adding User Defined Fields to Tabs 408
User Defined Fields - Deleting Fields 408
User Defined Tabs - Deleting 408
User Lists - Introduction 409
Adding Items to a List 409
User Lists - Editing Items 409
18
User Lists - Deleting Items 410
System Settings - Introduction 410
Remote Authentication - Introduction 410
Configuring Remote Authentication Using SSL Certificates 411
About Certificate Pinning 411
Requirements for Using Pinned Certificates 412
Requirements for Using Trusted Certificates 412
Pinning or Trusting Certificates in the ACM System 412
Enabling Remote Authentication for ACM Client Users 413
System Settings - General Fields 414
System Settings - Remote Authentication page 418
System Settings - External Domains list 418
System Settings - External Domains Add page 419
System Settings - External Domain: Edit page 420
System Settings - Certificates list 421
Certificate Upload page 422
Badge Templates and the Badge Designer 422
Using the Badge Designer 423
Badge Templates list 428
External Systems Overview 429
Supported External Systems 429
Adding External Systems 430
Editing External Systems 431
Editing an ENGAGE Site 431
Deleting External Systems 431
External Systems - Integrating an ACM Appliance into an ACC™ Site 432
External Systems - Defining the Badge Camera for the System 434
External Systems - ViRDI 435
External Systems - ViRDI System Settings 435
Bosch Intrusion Panels 436
Integrating the ACM System with Bosch Intrusion Panels 436
Adding a Bosch Intrusion Panel 438
Editing a Bosch Intrusion Panel 438
Viewing Auto-Synced Bosch Intrusion Panels 439
Deleting a Bosch Intrusion Panel 439
Viewing Bosch Intrusion Panel Areas 440
Viewing Bosch Intrusion Panel Points 440
19
Viewing Bosch Intrusion Panel Outputs 440
Viewing Bosch Intrusion Panel Users 441
Assigning Bosch Intrusion Panel Users to Identities 441
Supported Bosch Intrusion Panels 442
DMP Intrusion Panel Installation 445
System Overview 445
Prerequisites 446
Remote Link Software Configuration 446
A.C. Power Failure Notification 447
Panel Encryption 447
Remote Key 447
Step 1: Connecting to a DMP Intrusion Panel 447
Deleting a DMP Intrusion Panel 448
Step 2: Viewing an Installed DMP Intrusion Panel and its Areas, Zones, Outputs and Users 449
Step 3: Assigning DMP Intrusion Users to Identities 449
Enabling Debug Logs 450
Maps - Introduction 450
Maps - Creating and Editing a Map 450
Maps - Linking Maps 451
Using a Map 452
Hardware Status 453
Viewing a Map 453
Map Actions 455
Priority Situations 458

Planning Priority Door Policies 459
Priority Door Policies, Global Actions, and Modes 460
Priority Door Policies and Emergencies 460
Configuring a Secure High-Priority Emergency Response 461
Testing a Secure Priority Emergency Response in the ACM System 463
Activating the High-Priority Emergency Response 465
During a High-Priority Situation 465
Deactivating a Priority Door Policy 466
Limitations of Priority Global Actions 467
Priority Hierarchy 467
Triggering Door Lockdown By Panic Button or Red Card 469
20
Overriding Door Modes and Schedules 472
Adding an Override 472
Accessing the List of Overrides 474
Monitoring Overrides 474
Modifying and Deleting Overrides 474
Modifying an Override 475
Setting Personal Preferences 477

Changing the Password in My Account 477
Setting Your Preferred Language 477
Scheduling Batch Jobs 478
Generating a Batch Report 478
Applying an Identity Profile to a Group Using a Job Specification 479
Applying a Door Template to a Group Using a Job Specification 481
Scheduling a Global Action 483
Setting Batch Door Modes 484
Permissions and Rights 486
Troubleshooting 515
Events 515
Appliance Events 515
Door Events 516
Control Lock Events 520
RU and RM Device Events 520
Intrusion Events 521
DMP Intrusion Events 521
DMP Intrusion Area 521
DMP Intrusion Output 522
DMP Intrusion Panel 522
DMP Intrusion User 524
DMP Intrusion Zone 525
Panel Events 526
SALTO Key Events 527
Subpanel Events 527
System Events 527
Appendix: pivCLASS Configuration 529

Overview 529
21
Prerequisites 529
Enabling FIPS 140-2 Encryption on ACM Appliances 529
Enabling Large Encoded Card Format and Embedded Authorization on Panels 530
Updating Firmware 531
Adding Doors 531
Adding Reader Templates 531
Assigning Large Encoded Formats to Panels 532
Viewing Identities and Tokens 532
Monitoring Events 532
Glossary 533
22
Introduction
This guide provides an overview of the Admin role as defined in the Avigilon Access Control Manager (ACM)
software. This guide is meant to be used and referred to by those assigned the role of an Admin within the
ACM software.
The Admin role oversees the ACM system. They are responsible for monitoring and maintaining the ACM
system. For more information, see Permissions and Rights on page 486.
Note: This guide does not define the role of an Admin on all sites. Please contact your System
Administrator for more details.
Logging In
You can log in to the ACM system from any web browser that has access to the same network.
1. Open your preferred browser.

2. In the address bar, enter the IP address of your ACM appliance.
3. Enter your username in the Login field.
4. Enter your password in the Password field.
5. Click the Sign in button.
The application's Home page is displayed.
Note: If you are logging in to the ACM application for the first time, the default password for
the admin username must be changed. In addition, if you are performing a system upgrade,
the default password for the admin username must be changed if it was not changed
previously.
Tip: To change your password after initial installation, see Changing the Password in My
Account on page 477 and Changing the Administrator Password on page 26. For information
about the Password Strength Enforced field, see Password Strength Enforced on page 417.
Introduction 23
Initial Setup
After installing your ACM appliance, complete the following recommended setup procedures:
Accepting the End User License Agreement

Before you can use the ACM system, you must accept the End User License Agreement.
1. In the top-right, select > Appliance.

2. In the About tab, click View End User License Agreement Terms and Conditions.
3. Review the license agreement then select the checkbox.
4. Click Submit.
Now you can license and configure the ACM system.
Upgrading Your License Format

The ACM 6 license format is different from previous versions. If you upgraded from ACM 5.12.2 to ACM 6.0.0
or later, you will need to upgrade your license format in order to add new licenses. Do not add any new ACM
6 licenses until you have upgraded your old licenses.
Note: If your system is licensed for more than the maximum number of readers, you will not be
eligible for an upgrade license. You can continue using your existing system, or contact sales to add
more features.
If you do not upgrade your license format, you can continue to use your existing features. However, you will
not be able to license new features.
Important: If you use the replication and failover features of the ACM system and you choose to
upgrade the license format you must upgrade the license format on both the primary and standby
ACM appliances. Replication features, including failover, will not function if the license format is not
the same on both appliances. Complete the following steps on both appliances.
1. In the top-right, select >Appliance.

2. In the About tab, click Download Upgrade File.
3. Email the .bin file to acm.license@avigilon.com. You will receive a response in 1-2 business days with
an Activation ID for each feature you have. You can continue to use the ACM appliance during this
time.
Initial Setup 24
4. After you receive the Activation IDs, follow the procedure in Adding a License on page 374. You will
only need to enter one of the Activation IDs to automatically license the system for all features your
device is entitled to.
Adding a License
When you first install an ACM 6 system, you will need to license the system to use its features. Add additional
licenses to access new features as required.
If you do not already have a license, purchase one from Avigilon.
Online Licensing
If you have Internet access, use online activation. Otherwise, see Offline Licensing below.

2. In the About tab, click Add License.
3. In the Add Licenses dialog, enter your Activation IDs.
l Click Add ID to add additional Activation IDs.
l Click Remove Last ID to clear the last Activation ID entered.
4. Click Activate Licenses.
Offline Licensing
Offline licensing involves transferring files between a computer running the ACM system and a computer with
Internet access.
In the ACM system:

3. In the Add Licenses dialog, select the Manual tab.
4. Enter your Activation IDs.
5. Click Save File... and select where you want to save the .key file. You can rename the file as
required.
6. Copy the .key file to a computer with Internet access.
In a browser:
Adding a License 25
1. Go to activate.avigilon.com.
2. Click Choose File and select the .key file.
3. Click Upload.
Important: When reactivating a site cluster, upload all the deactivation .key files first and
then the single activation .key file at last.
A capabilityResponse.bin file should download automatically. If not, allow the download to

occur when you are prompted.
4. Complete the product registration page to receive product updates from Avigilon.
5. Copy the .bin file to a computer running the ACC Client software.
In the ACM system:
1. In the Add Licenses dialog, click Choose File.

2. Select the .bin file and click Open.
Changing the Administrator Password

After you log in to the ACM application, you can change the admin identity's password.
1. Click Identities and then Search.

2. On the Identities list, click A.
3. Select the Administrator, System identity.
4. In the Account Information area, enter a new password in the Password and Confirm fields.
5. Click .
If you are currently logged in with the admin identity, you are automatically logged out. Log in again using
the new password, or use a different Super Admin identity.
Creating a Super Admin Identity

After you log in to the ACM system for the first time and set a new password, it is recommended that you
create a Super Admin identity for configuring the system. By creating a new Super Admin identity, you can
better protect the security of the system by not using the default admin identity, and having a backup identity
in case the default admin password is lost.
1. Click Identities and then Add Identity.

2. Select an Identity Profile in the Identity Profile dialog box and click Continue.
3. In the Identity Information area, enter a Last Name and First Name.
4. In the Account Information area, enter a Login name for accessing the system.
Changing the Administrator Password 26

5. In the Password and Confirm fields, enter a password for the new identity. The password must be at
least four characters long.
6. Click and the Roles tab is automatically displayed.
7. In the Roles tab, select Super Admin from the Available list and click to assign the new identity
to the Super Admin role.
8. Click .
Only these settings are required to create a Super Admin identity. You can add and configure more details for
the account.
Creating a Super Admin Identity 27

Monitoring
The Monitoring screen gives you access to view all events and alarms in the system. It also allows you to view
and control connected hardware. An event occurs for changes in the software or hardware. For example,
when a user accesses a door. An alarm occurs when the system detects an unusual event. For example, a
forced door. Hardware can be controlled to grant or restrict access to an area. For example, a door can be
disabled to deny access to a hazardous area.
Note: If you do not have the correct delegations, you may not be able to access some of the
following pages. See your System Administrator for details.
Monitoring Events
Events are defined as any activity that is reported between the ACM appliance and the hardware it oversees.
An event includes all alarms, but not all events are alarms. Events can include changes in configuration, a
report on door access, adding a new badge holder to the system, and more. In other words, any transfer of
data within the system is an event.
To view the events:
1. Select Monitor > Events.

2. Click any of the following buttons:
Note: Some of the buttons are disabled until you select an event that includes the relevant details.
l Pause button — Pauses the flow of events that are displayed on the page.
The flow of events does not actually stop, the system simply pauses the display of live updates until
you click Resume.
l Resume button — Restarts the flow of events that are displayed on the page.
This button only appears when the flow of events is paused.
l Clear button — Temporarily clear all events from the screen. New events automatically begin to
populate the list. To restore the cleared events, refresh the page.
l Live Video button — Displays live video that is associated with the selected event.
l Recorded Video button — Displays recorded video that is associated with the selected event.
l Notes button — Enter a new note or displays any previously saved notes for the selected event.
l Instructions button — Displays any instructions that should be completed when the event occurs. The
instructions were added when the event was created.
l Identity button — Displays details about the person that triggered the selected event.
Monitoring 28
l History button — Displays a detailed history of this event.
l Save Settings button — Saves your current settings for this page. For example, the columns and order
for this page.
l Select Columns button — Choose the information that you want displayed.
Check the box for each column that you want to see, and clear the box for each column that you want
hidden.
Click and drag the columns to move them into the order you want.
l Reconnect button — Reconnects to the appliance.
This button only appears if your browser has become disconnected from the appliance and an error is
displayed.
Pause/Resume Events
The display of live event updates can be paused. This allows you to view and investigate a specific event
without having to search for it. Once the event has been reviewed, the display of live event updates can be
resumed.
Follow the steps below to pause and resume events.
1. Click Monitor to access the Monitor Events page. For more detail see Monitoring Events on the
previous page.
2. Click Pause to pause the flow of events that are displayed on the page.
The flow of events does not actually stop, the system simply pauses the display of live updates until
you click Resume (this button only appears when the flow of events is paused).
3. Click Resume to restart the flow of events that are displayed on the page.
The list of events will resume updating.
Clear Events
Follow the steps below to clear all displayed events.
1. Click Monitor to access the Monitor Events page.

2. Click Clear to temporarily clear all events from the screen.
The list will be cleared. New events automatically begin to populate the list.
Note: This does not delete the events, it just removes the existing events from the view. To
restore the cleared events, refresh the page.
View Live Video

Live video that is associated with a selected event can be displayed from the Monitoring Events page. For
example, if an unusual event occurs, the live video can be viewed to observe the event and determine if any
actions need to be taken.
Pause/Resume Events 29
Follow the steps below to view live video.
1. Click Monitor. The Monitor Events page displays (for more information, see Monitoring Events on
page 28).
2. Select an event from the list.
Only events or alarms with an icon will have video.
3. Click Live Video to display live video that is associated with the selected event. (This button only
displays if video is available for this event.)
The Monitor Screen - Live Video window displays. View the live video in this window.
If the window does not display any video in the image panel, you may need to change your browser
settings to allow the display of insecure or mixed content. For more information, see the Help files for
your browser.
View Recorded Video

Recorded video that is associated with a selected event can be displayed from the Monitoring Events page.
For example, if an unusual event occurred the previous day, the recorded video can be viewed to observe
event and determine if any actions need to be taken.
Follow the steps below to view live video.
1. Click Monitor. The Monitor Events page displays (for more information, see Monitoring Events on
page 28).

3. Click Recorded Video to display recorded video that is associated with the selected event. (This
button only displays if video is available for this event.)
The Monitor Screen - Recorded Video window displays. View the video in this window.
your browser.
Create Event Notes

Notes can be added and viewed for all events that occur in the system. For example, if an observation is
made on an event, a note can be made for that event.
Follow the steps below to create event notes.

2. Select the event that you want to create notes for.
3. Click Notes to create notes for the selected event.
The Monitor Screen - Notes Window will display.
4. Enter text in the New Note field.
View Recorded Video 30

5. Click to save the new note.
The note will display in the list below the New Note section. The date, Operator and note will display
in this list.
6. Close the dialog box.
View Event Notes

Notes that are associated with an event can be displayed from the Monitor Events page. For example, if
another user created a note for an event, you can view the note to get more information about the event.
Follow the steps below to view event notes.
1. Click Monitor to access the Monitor Events page (for more information, see Monitoring Events on
page 28).
2. Select the event that you want to view notes for. (Events with notes will display with in the Icon
column.)
3. Click Notes to view notes for the selected event. (Alternatively clicking will do the same thing.)
The Monitor Screen - Notes Window will display. Existing notes will display as a list below the New
Note section. The date, Operator and note will display in this list.
View Event Instructions

Instructions can be viewed for a selected event. The instructions tell the operator what actions need to be
taken when the event occurs. For example, if a user is denied access to a certain area, the action may be to
review their identity, and determine if they have permission to access the area.
Follow the steps below to view event instructions. The instructions were added when the event was created.
page 28).
2. Select the event that you want to view instructions for. (Events with instructions will display with in
the Icon column.)
3. Click Instructions to view instructions for the selected event.
The Monitor Screen - Instructions Window will display. View the instructions in the table that displays.
4. Close the window to return to the Monitor Events page.
View Event Identity Details

Follow the steps below to view event identity details.
View Event Notes 31

page 28).
2. Select the event that you want to view identity details for.
3. Click Identity to view identity details for the selected event.
The Monitor Screen - Identity Window will display.
4. View the details (e.g. Last Name, First Name, Title, etc.).
5. Close the window to return to the Monitor Events page.
View Event History

Follow the steps below to view event history.
page 28).
2. Select the event that you want to view history for.
3. Click History to view history for the selected event.
The Monitor Screen - History Window will display.
4. View the history details.
5. Close the window to return to the Events list.
Change Events List Settings

Follow the steps below to change the settings of the events list.

The list displays in date order, with the most recent events at the top of the list.
2. If you want to re-sort the order of the list:
l Click in the heading of the column to sort by (e.g. Priority). The list will sort in ascending order
based on that column (e.g. ascending order of priority).
l To change the sort order to descending, click the column heading again.
3. If you want to re-sort the order of the columns, click on the column you want to move then drag and
drop this to it's new location.
4. If you want to add or remove columns, click Select Columns and:
l Click beside the Column name of any columns to be added so that a check mark displays.
l Click beside the Column name of any column to be deleted so that a check mark no longer
displays.
5. Click Save Settings if you want to save the new settings.
A message box displays with the message ACM Notification. Successfully saved.'.
Reconnect to Events List

Follow the steps below to reconnect to the ACM appliance.
View Event History 32

page 28).
If your browser loses connectivity with ACM appliance the Reconnect button displays.
2. Click Reconnect to reconnect.
Searching for Events and Alarms

The number of alarms and event transactions can total into the thousands depending on the level of activity
in your system. To find specific events, you can perform a search.
Searching for specific events allows you to easily find an event in the system. For example, searching for
events can be used in situations where more information is needed on an event thought to be unusual or
suspicious. Once an event has been found, information such as recorded video, or notes can be viewed.
1. Select Monitor > Search.
2. Scroll to the bottom of the page and click the icon.
Figure 1: Search options
3. From the first drop down list, select the data type that you want to search. The options are:
l Panel Date
l Last Name
l Card Number
l Message
l Event Name
l Event Type
l Source
4. From the second drop down list, select the appropriate argument for your search. The available
arguments change depending on the selected data type. An argument may require you to make a
selection, specify a date, or enter some text.
6. If you want to narrow your search further, click to add another search filter.
Searching for Events and Alarms 33

7. If you want to narrow your search, click to add another search filter.
7. Add as many search filters as you need to fulfill your search criteria.
8. When you have entered all your search criteria, click Search. The search results are listed in the
table above the search area.
9. Select any transaction from the search result and use the action buttons at the top of the page to see
the details of the event.
View Camera (Search)

Live video that is associated with a selected event can be displayed from the Monitoring Search page. For
example, if an event is found with live video associated with it, the operator can view the video and determine
if any action needs to be taken.
Follow the steps below to view live video from a camera from the Events Search (Transactions) page.
1. Click Monitor > Search.

Only events or alarms with an icon will have video. The icons are not displayed by default. For more
information, see Change Transactions List Settings on page 36.
3. Click Camera to display live video that is associated with the selected event.
4. View the live video in this window.
your browser.
View Recorded Video (Search)

Recorded video that is associated with a searched event can be displayed from the Monitoring Search page.
For example, if an unusual event is found in the search results, the recorded video can be viewed to observe
the event and determine if any actions need to be taken.
Follow the steps below to view live video from the Events Search (Transactions) page.

Only events or alarms with an icon will have video. The icons are not displayed by default. For more
information, see Change Transactions List Settings on page 36.
View Camera (Search) 34

3. Click Recorded Video to display recorded video that is associated with the selected event.
Note: An event with recorded video associated with it may display an error message if the
recorded video is no longer available on the video recorder.
4. View the video in this window.

your browser.
Create Event Notes (Search)

Notes can be added and viewed for all events that occur in the system. For example, if an observation is
made on an event, a note can be created for that event.
Follow the steps below to create event notes from the Events Search (Transactions) page.


in this list.
View Event Notes (Search)

Notes that are associated with an event can be displayed from the Monitor Search page. For example, if an
event is found with an associated note, you can view the note to get more information about the selected
event.
Follow the steps below to view event notes from the Events Search (Transactions) page.

2. Select the event that you want to view notes for.
3. Click Notes to view notes for the selected event.
View Event Instructions (Search)

Instructions can be viewed for a selected event. The instructions tell the operator what actions need to be
Create Event Notes (Search) 35

taken when the event occurs. For example, if a user is denied access to a certain area, the action may be to
review their identity, and determine if they have permission to access the area.
Follow the steps below to view event instructions from the Events Search (Transactions) page. The
instructions were added when the event was created.

2. Select the event that you want to view instructions for.
The Monitor Screen - Instructions Window will display.
4. Close the window to return to the Events Search (Transactions) page.
View Event Identity Details (Search)

Follow the steps below to view event identity details from the Events Search (Transactions) page.

View Event History (Search)

Follow the steps below to view event history from the Events Search (Transactions) page.

Change Transactions List Settings

The events list shows a default set of fields for each event. You may want to add columns to this list.
For example, if you want to search this list to see if an event occurred on a door that has a camera associated
with it, add the icons column. This column displays a next to any event from a door that has a camera
associated with it.
Follow the steps below to change the settings of the events list.
View Event Identity Details (Search) 36

4. If you want to add a column, hover the mouse over any column heading and:
a. Click the down arrow that is displayed.
b. Click the checkbox for each column you want to add.
A message box displays with the message 'ACM Notification. Successfully saved.'.
Monitoring Alarms
Alarms that occur in the system are listed in the Monitor Alarms page as they occur (accessed through
selecting Monitor > Alarms).
An alarm occurs when the system senses an unusual event such as a forced or held door. Each alarm needs
to be reviewed and responded to. Information on the alarm can be viewed, along with any available video.
After an alarm has been acknowledged, it is moved to the list of acknowledged alarms. This list allows users
to view past alarms and clear them from the system.
To review and acknowledge alarms, select one or more alarms from the Unacknowledged Alarms list then
click one of the following buttons:
l Acknowledge — Click this button to acknowledge one or more selected alarms. The selected alarms
are moved to the Acknowledged Alarms list.
l Acknowledge All — Click this button to acknowledge all alarms that are currently active and
unacknowledged.
l Live Video — Click this button to display live video associated with the selected alarm.
l Recorded Video — Click this button to display recorded video associated with the selected alarm.
l Notes — Click this button to enter a new note or display any previously saved notes for the selected
event.
l Instructions — Click this button to display any instructions that should be completed when the alarm
occurs. The instructions were added when the event was created.
l Identity — Click this button to display details about the person that triggered the selected alarm.
Monitoring Alarms 37
l History — Click this button to display a detailed history of this alarm.
l Save Settings — Click this button to save your current settings for this page. For example, the columns
and order for this page.
l Sound Off — Click this button to mute any alarm noises on the device used to monitor Alarms.
When sound is muted, the button changes to Sound On. Click this button to turn the sound back on.
l Select Columns — Click this button then choose the information that you want displayed.
hidden.
After an alarm has been acknowledged, the alarm is added to the Acknowledged Alarms list. You can clear
the alarms from the list as needed.
l Clear — Click this button to clear one or more acknowledged alarms from the list.
l Clear All — Click this button to clear all alarms from the Acknowledged Alarms list.
l Select Columns — Click this button then choose the information that you want displayed.
hidden.
Acknowledge Alarms
When an alarm occurs in the system, an action must be taken. Once the alarm is resolved, it must be
acknowledged. This tells the other users of the system that the alarm has been dealt with and is not a
problem.
Follow the steps below to acknowledge alarms.
1. Click Monitor > Alarms.

2. To acknowledge a single alarm:
l Select the alarm in the Unacknowledged Alarms list.
l Click Acknowledge. The alarm will move to the Acknowledged Alarms list.
3. To acknowledge multiple alarms:
l Select the first alarm in the Unacknowledged Alarms list.
l If the alarms to be acknowledged are consecutive in the list, click on the first entry, then hold
SHIFT down and click on the last entry.
l If the alarms to be acknowledged are not consecutive, click on the first entry, then hold CTRL
down and click on each entry.
l Click Acknowledge. The alarms will move to the Acknowledged Alarms list.
4. To acknowledge all alarms, click Acknowledge All. The alarms will move to the Acknowledged
Alarms list.
Acknowledge Alarms 38
View Live Video (Alarms)
Live video that is associated with a selected alarm can be displayed from the Monitoring Alarms page. For
example, if an alarm occurs, the live video can be viewed to observe the alarm and determine if any actions
need to be taken.
Follow the steps below to view live video from the Monitor Alarms page.
1. Click Monitor > Alarms. For more information see Monitoring Alarms on page 37.
2. Select an alarm from the list.
3. Click Live Video to display live video that is associated with the selected alarm. This button only
displays if video is available for this alarm.
The Monitor Screen - Live Video window displays. View the live video in this window.
your browser.
View Recorded Video (Alarms)

Recorded video that is associated with a selected alarm can be displayed from the Monitoring Alarms page.
For example, if an alarm occurred the previous day, recorded video can be viewed to observe the alarm and
determine if any further actions need to be taken.
Follow the steps below to view recorded video from the Monitor Alarms list.
1. Click Monitor > Alarms. The Monitor Alarms page displays (for more information see Monitoring
Alarms on page 37).

3. Click Recorded Video to display live video that is associated with the selected event. (This button only
displays if video is available for this event.)
The Monitor Screen - Recorded Video window displays. View the video in this window.
your browser.
Create Event Notes (Alarms)

Notes can be added and viewed for all alarms that occur in the system. For example, if an observation or
action is made on an alarm, a note can be created to document the details.
Follow the steps below to create event notes from the Monitor Alarms page.
View Live Video (Alarms) 39

1. Click Monitor > Alarms. The Monitor Alarms page displays. For more information see Monitoring
Alarms on page 37.

in this list.
View Event Notes (Alarms)

Notes that are associated with an alarm can be displayed from the Monitor Alarms page. For example, if
another user created a note for an alarm, you can view the note to get more information about the alarm.
Follow the steps below to view event notes from the Monitor Alarms page.
Alarms on page 37.
2. Select the event that you want to view notes for. Events with notes will display with in the Icon
column.
3. Click Notes to view notes for the selected event. Alternatively clicking will do the same thing.
4. Close the dialog box to return to the Monitor Alarms page.
View Event Instructions (Alarms)

Instructions can be viewed for a selected alarm. The instructions tell the operator what actions need to be
taken when the alarm occurs. For example, if an alarm occurred, the instruction could be to investigate the
alarm and write a note describing the situation.
Follow the steps below to view event instructions from the Monitor Alarms page. The instructions were added
when the event was created.
1. Click Monitor > Alarms to access the Monitor Alarms page displays. For more information see
Monitoring Alarms on page 37.
2. Select the event that you want to view instructions for. (Events with instructions will display with in
the Icon column.)
View Event Notes (Alarms) 40

The Monitor Screen - Instructions Window will display. View the instructions in the table that displays.
4. Close the window to return to the Monitor Alarms page.
View Event Identity Details (Alarms)

Follow the steps below to view event identity details from the Monitor Alarms page.
Alarms on page 37.
View Event History (Alarms)

Follow the steps below to view event history from the Monitor Alarms page.
1. Click Monitor > Alarms to access the Monitor Alarms page. For more information see Monitoring
Alarms on page 37.
Change Alarms List Settings

Follow the steps below to change the settings of the alarms lists on the Monitor Alarms page.
1. Click Monitor > Alarms to access the Monitor Alarms page. For more information see Monitoring
Alarms on page 37.
View Event Identity Details (Alarms) 41

4. If you want to add or remove columns, click Select Columns and do the following:
displays.
5. If you want to change the sound settings:
l If the sound is on, click Sound Off to turn the sound off.
l If the sound is off, click Sound On to turn the sound on.
A message box displays with the message ACM Notification. Successfully saved.'
Note: To reset default settings, select > Clear Custom Layouts. This resets all customized lists
to their default setting.
Using the Verification page

When you click Monitor > Verification, the Verification page is displayed.
This page allows a qualified operator to review information, including photos, about card holders entering or
exiting specific doors.
The page is divided into two halves - the top Doors section and the bottom Events section.
l At the top of the page are four door panes that allow you to select and monitor four doors at a time.
After you select a door to a pane, you can monitor live event transactions as they occur at that door.
l Underneath the door panes is a list of live door transactions displayed like the Events page.
Not all door events will display in this list. Only events in the priority number range 300 to 700 display.
A full listing of all events is available on the Monitor Events page.
Verifying Identities at Doors

Select Monitor > Verification to open the Verification page to verify and confirm the identity of any person
who passes through the selected doors:
1. From one of the Doors drop down lists, select a door.

2. To select another door, repeat previous step in the other panes. The drop down list automatically
updates to filter out the doors that have already been selected.
When a person attempts to pass through one of the monitored doors using a card, the person's
identity information is displayed:
Using the Verification page 42

If the person:
l Has a valid identity, the information includes the name and internal token number.
l Has a photo stored in the Identity record, it is displayed. If the person does not pass through the
door, of the time and date of entry.
l Is authorized to pass through the door the time and date of entry is displayed, unless they do
not actually pass through the door ("not used" is displayed instead).
l Is not authorized to pass through the door, an "Unauthorized" message is displayed.
l Presents an invalid identity, an "Invalid" message is displayed.
At the bottom of the screen are all of the detailed events generated at the doors, including those of
any not associated with identities.
Verification Events List

Follow the steps below to add doors to monitor on the Verification page.
1. Click Monitor > Verification. The Verification page displays. For more information see Using the
Verification page on the previous page.
This page has two sections - doors and an events list. For more information on the doors display see
Verifying Identities at Doors on the previous page. The events list displays in date order, with the most
recent events at the top of the list.
Note: Not all door events will display in this list. Only events in the priority number range 300
to 700 display. A full listing of all events is available on the Monitor Events page.
2. If you want to clear a single event from the list, select the event and click Clear. To clear all events,
click Clear all.
Verification Events List 43

5. If you want to add or remove columns, click Select Columns and:
displays.
A message box displays with the message 'ACM Notification. Successfully saved.'.
Note: Saving the settings only saves the column configuration. The doors selected for
verification will need to be selected each time you return to the page.
Note: To reset default settings, select > Clear Custom Layouts. This resets all customized lists
to their default setting.
Using the Dashboard

The Dashboard provides a real-time status summary of the hardware components that are connected to the
ACM system. The hardware categories are panels, subpanels, doors, inputs, outputs and ACM appliances.
Select Monitor > Dashboard for a top-level view of the Dashboard where you can drill down for details.

Area Description
1 Dashboard Sidebar Navigation menu for the Dashboard, Panels table,

table, table, table, table and
Subpanels Inputs Outputs Doors
table ( if a power supply is connected).
Power Supplies LifeSafety
From the Panels table, you can access a list of subpanels in the
Subpanels table. From the Subpanels table, you can access a list of
inputs and outputs in the Inputs and Outputs tables.
From the Inputs and Outputs tables, you can directly access the list of
inputs and outputs.
From the Doors table, you can control individual doors, investigate doors
with active faults, and see more information about the state of individual
doors.

Area Description
2 Dashboard Displays a summary of hardware faults or unexpected input and output

state changes as they occur. As the status of hardware components
changes, the status indicators on the Dashboard change color. For more
information, see Status Colors below.
The total number of connected hardware components (installed and

uninstalled) is displayed above a real-time fault or status list. For panels,
subpanels, inputs and doors, the number of installed components in each
fault state is displayed. If no faults occur, their status is green. For
outputs, the numbers indicate the number of installed outputs in each
state. When no components are displayed in a state, the status is either
green or 0.
3 Panels Displays a summary of the fault state of the installed panels. Click the
number next to the fault to drill down to the details of the fault in the
Panels table, which is filtered to display only the panels with that fault.
4 Subpanels Displays a summary of the fault state of the installed subpanels. Click the
number next to the fault to drill down to the details of the fault in the
Subpanels table, which is filtered to display only subpanels with that fault.
5 Inputs Displays the total number of inputs in each state. Click the number next
to the state to drill down to the Inputs table, which is filtered to display
only inputs with that state.
6 Outputs Displays the total number outputs in each state. Click the number next to
the state to drill down to the Outputs table, which is filtered to display
only inputs with that state.
7 Doors Displays the summary of the fault state of the installed doors. Click the
number next to the fault to drill down to the Doors table, which is filtered
to display only alarms with that fault.
8 Appliances When no issues occur in the ACM appliance items, their status is green.
Hover the mouse over each status indicator to see more details. For
example, "RAM free 45%" displays for the RAM status.
Status Colors
Status colors identify the health of the different devices in the system. The status colors represent the
following states:
Status Colors 46
Color Status Description
Normal Online and working properly.
Inactive Input or output is in its normal state.
Trouble Indeterminate or offline status of inputs, outputs, panels or subpanels, and the
ACM appliance. Inputs or outputs may be operating in a wiring fault state.
Alarm Alarm condition. An ACM operator should investigate the problem and resolve the
issue.
Active Input or output circuit is no longer in its normal state.
Masked Input is currently masked. Its actual state is not displayed. Masked inputs are
intended to change as part of normal operations, so that they are not constantly
being reported.
Appliance Transactions Indicators

The status colors represent the following appliance states:
Color Status Description
Normal The appliance transactions stored in the system are less than 85% of the
maximum stored transactions threshold.
Trouble The appliance transactions stored in the system are between 85% - 95% of the
maximum stored transactions threshold.
Alarm The appliance transactions stored in the system are over 95% of the maximum
stored transactions threshold.
Tip: When the transactions are close to exceeding the maximum stored transactions threshold, do
the following:
l Schedule backups of the transactions before their deletion.

l Increase the Max Stored Transactions setting.
l Adjust the Max Days Stored setting, according to your corporate IT policy.
Device Status
Panels, Subpanels, Inputs, Outputs and Doors only.
To see the legend for device status:

l Click Legend to see the list of statuses and the related icons. For other input statuses which appear in
the legend, see Status Colors on the previous page.
Appliance Transactions Indicators 47

Note: Not all statuses apply to devices. For example, only normal, uninstalled, communication and
battery statuses apply to Control locks.
Icon Status Description
Normal The panel, subpanel or door is operating normally.
Uninstalled The panel, subpanel, input, output or door is not installed.
Communication Communication between the panel, subpanel or door, and the ACM
system is enabled.
Unlocked The door is unlocked and is not secure.
Held The door is being held open.
Power The panel or subpanel power input circuit is open.
Battery The battery input circuit is open or is running low.
Tamper The tamper input circuit is open.
Forced The door was forced open without a grant operation.
Synchronization Synchronization between the door and the ACM system is pending.
Synchronization Synchronization between the door and the ACM system is out of sync.
ASSA ABLOY IP door. The out of sync door requires operator intervention

to reload or reset the lock. For more information, refer to ASSA ABLOY
documentation.
SALTO online door. Wait for the update.
SALTO standalone door. Requires operator intervention. Use the portal

programming device (PPD) to update the door mode. For more
information, refer to SALTO systems documentation.
Security Status
To see the legend for device status:
l Click Legend to see the list of statuses and the related icons.
Security Status 48
TLS Required The panel is configured to use Transport Layer Security (TLS) protocol to
secure communication with the ACM appliance.
TLS & Certificate The panel is configured to use TLS protocol and a certificate to secure
Required communication with the ACM appliance.
Installing, Uninstalling and Deleting Panels and Subpanels

Click at the end of a row in the Panels table or Subpanels table to:
l View — Displays the Panel: Status or Subpanel: Status table.
l Install — Enables communications between the ACM system and the panel or subpanel.
l Uninstall — Disables communications between the ACM system and the panel or subpanel.
l Delete — Removes the connection between the ACM system and the panel or subpanel.
Viewing, Masking and Unmasking Inputs

Panels, Subpanels and Inputs only.
l
Click at the end of a row in the Inputs table to:
o View — Displays the Input: Edit page.
o Mask — Masks the selected input.
o Unmask — Unmasks a previously masked input.
Viewing, Activating and Deactivating Outputs

Panels, Subpanels and Outputs only.
1. Click the name of the panel and subpanel to display the Outputs table.
Or click Outputs on the Dashboard home page.
2. Click at the end of a row in the Outputs table to:

l View — View the Output: Edit page.
l On — Power the output. If the output is a door, it activates the circuit.
l Off — Turn off the power to the output. If the output is a door, it deactivates the circuit.
l Pulse — Alternately activate and deactivate the output. The pulse interval is determined by the
output’s settings.
Searching Panel, Subpanel, Input and Door Names

Panels, Subpanels, Inputs and Doors only.
Installing, Uninstalling and Deleting Panels and Subpanels 49

1. Use any (or all) of the following to define your search:
l Enter your search term in the Search... field. Use any series of letters and numbers to search for
the panels you want to see.
l If known, select the Device Status.
l If known, select the Appliance the panel is connected to.
l If known, select the Group the panel is included in.
2. Click OK. The list is filtered to show the results of your search.
Saving Door Filters

Many facilities require the control and monitoring of dozens, even hundreds, of doors simultaneously. This
can result in a crowded listing page. You can search for specific doors to narrow the list of doors, filter the
columns for specific values, and create and save custom filters. You can then sort the results using any one
column.
1. Click Advanced Filters in the upper-right corner.

2. Select filters:
l Alarms — Includes the alarms from the list of alarms.
l Masked — Includes the masks from the list of masks.
l Normal — Includes all properly functioning doors.
l Door Mode — Includes the list of door modes.
To unselect all selected filters, click Unselect All.
3. To save the selected filters, select Remember Filters.
4. Click OK.
Controlling Doors
While you are monitoring the system, you may need to override the default door settings to allow a visitor
access to an area, or unlock a door in an emergency situation. From a Doors listing page in Physical
Access or Monitor > Dashboard, use the Door Action, Door Mode, Forced, Held, and Installed drop-down
menus to control doors.
Doors can also be controlled from Monitor > Maps. For more information, see Using a Map on page 452.
Note: Only the Installed options are available for virtual doors installed for use with ACM Verify
readers.
Saving Door Filters 50

1. Select the checkbox for each the door you want to control.
Or click All at the top of the left column to select all doors or None to deselect all doors.
2. For one or more doors, select a Door Action if required:
Note: The door actions below are not applicable for Schlage offline Wi-Fi doors or SALTO
standalone doors. Only Grant is applicable for Schlage Control™ locks. Only Unlock and
Locked No Access are applicable for Von Duprin remote undogging (RU) devices. Locked No
Access and Disable are not applicable for ASSA ABLOY battery-powered and external-
powered doors.
l Grant — Momentarily grants access to the door to permit a single-time entry.

l Restore — Restores the Door Mode to its default configuration or Custom Mode.
Schlage locks with activated lock functions only. Restoring a door that has an activated Lock
Function (Classroom, Office, Privacy, or Apartment) removes the Lock Function and resets the
door mode to its default configuration.
For ASSA ABLOY IP doors only. Restoring a door results in the door going offline temporarily in
the ACM system.
l Unlock — Unlocks the door. The door remains unlocked until the Locked No Access command
is issued or until an operator override or scheduled action is initiated.
l Locked No Access — Locks the door. The door remains locked until the Restore command is
initiated or until an operator override or scheduled action is initiated.
l Disable — Disables the door. The door stops operating and allows no access to anyone.
l Lock (ASSA ABLOY Only) — For ASSA ABLOY IP doors only. Locks the door. The door remains
locked until a scheduled action is initiated.
3. Select any of the following Door Mode options to change the door mode.
For more information, see Door Modes on page 213.
4. Select either of the following Forced options if required:
l Mask Forced — Masks the Forced Door Alarm for the door. The status color changes to blue
and is no longer included in any alarm subtotal.
l Unmask Forced — Unmasks the Forced Door Alarm for the door.
5. Select either of the following Held options if required:
l Mask Held — Masks the Door Held Open Alarm for the door.
l Unmask Held — Unmasks the Door Held Open Alarm for the door.
6. Select either of the following Installed options if required:
l Install — Installs a door. Enables communication between the door and the ACM system.
l Uninstall — Uninstalls a door. Disables communication between the door and the ACM system.
7. Select Delete — Removes the connection between the door and the ACM system.
Accessing Web Interface of Power Panels

When LifeSafety power panels are installed in your ACM system, you can access the web interface of the
Accessing Web Interface of Power Panels 51

panel to view the panel's current status or its event log, and edit its configuration.
l Click the name of the LifeSafety power panel to display the panel details.
l
The (installed) or (uninstalled) status of the panel is read-only and cannot be changed.
l Click a command:
o Status — Displays the current status of the LifeSafety panel.
o Log — Displays the log of events and alarms recorded by the LifeSafety panel.
o Edit — Displays the browser page for the remotely connected panel. Edit the configuration as
required.
Using Map Templates

When you click Monitor > Maps, the Map Templates page displays. This page lists all the maps that have
been added to the system.
Feature Description
Add Map Click this button to add a new map template.
Template
Name The name of the map template.
A list of all the configured maps is displayed. Also included in the list are configured
Mustering dashboards.
Click the name of the map template to display the configured map or dashboard.
Using a Map
Access a map of your site, facility or floor plan from the Monitor page to do any of the following:
l Monitor the status of doors, panels, subpanels, inputs and outputs that are installed. For example, a
mustering station on the third floor of a building.
l Set the door mode and door commands on the map.
Note: Unlike the Physical Access > Doors or Monitor > Dashboard page which displays
all modes and commands regardless of door type, the Monitor > Maps page displays only
the modes and commands that are supported by your door or device.
l Keep track of identities as they arrive at muster stations from the Mustering dashboard.
Hardware Status
The following indicators are displayed on the map as events occur:
Using Map Templates 52

Green bar The hardware is operating normally.
Red square The hardware is in an alarm state. The counter in the

square shows the number of unacknowledged events.
Solid blue disk An active override is in effect on the door.
Hollow blue disk An inactive override is defined.
Red bounding box around The door is in Priority Mode.

the status bar
Viewing a Map
To access and monitor your site from a map:
1. Select Monitor > Maps.

2. In the Map Templates list, click the name of a map.
Some of the displayed elements may not appear in your map or the example below.
Figure 2: Example map of a muster station on the third floor
Viewing a Map 53
Note: Fields in this list are dependent on the door or device. Some commands or fields are
not supported for all doors or devices.
Icon Description
Doors
Panels
Subpanels
Inputs
Outputs
Cameras
Zoom In
Zoom Out
Global Actions
Square, circle or Dashboard Elements

text object
Map Actions
The actions you can complete on a map are determined by the permissions of your assigned roles.
To... Do this...
Review The colored bar below each item displays an overview of the current
hardware status communication and power status.
l Click the icon on the map to display the control menu.
For more information about the colored hardware status bar, see the specific
hardware status page. For more information about the status colors, see Status
Colors on page 46.
Review an alarm If you see a red alarm indicator, the item on the map is in an alarm state.
l Click the alarm indicator to see the status details.
For more information about alarm actions, see Monitoring Alarms on page 37.
Modify or delete If you see solid blue disk indicator, an active override is in effect on the door. If
an override you see a hollow blue disk indicator, an inactive override is defined.
l Click the indicator to open the Doors: Overrides page to see details.
Map Actions 54
To... Do this...
Respond to a If you see a red bounding box around the status indicator, the door is in Priority
priority situation Mode.
Important: A door is in Priority Mode when a priority situation has been

declared at your site. All doors affected by the situation are placed into
Priority Mode and only the Priority ACM Operator, responsible for
dealing with priority situations can interact with the door.
Control a door Click on the map to display the control menu for the selected door.
Note: Fields in this list are dependent on the door or device. Some
commands or fields are not supported for all doors or devices.
Use the menu options to set the Door Mode. For more information, see Door
Modes on page 213.
Use the following menu options to mask or unmask alarms:
l Mask Held — Mask the Door Held Open Alarm.
l Unmask Held — Unmask the Door Held Open Alarm.
l Mask Forced — Mask the Door Forced Open Alarm.
l Unmask Forced — Unmask the Door Forced Open Alarm.
To view live video, recorded video, notes, instructions, identities, and history
click Trace to display the event transactions for the door.
To hide the control menu, click the icon again.
Map Actions 55
To... Do this...
Control a panel Click on the map to display the panel control menu, then for the panel or
or subpanel subpanel use these options:
l Panels
o Download Params — Download the latest system configurations
to the panel.
o Tokens — Download the tokens to the panel.
o Reset/Download — Reset and download the current system
configuration to the panel.
o APB Reset — Resets all panel and area counts to zero.
o Clock — Re-sync the panel time.
o Trace — Display the event transactions for the panel.
Note: This is the only option supported for ASSA ABLOY

IP panels.
l Subpanels
o Trace — Display the event transactions for the subpanel.
Viewing live video, recorded video, notes, instructions, identities, and history can
be performed on the event transactions.
Control an input Click the on the map to display the input control men for the input.
Use these options to mask or unmask the input:
l Mask — Mask the input.
l Unmask — Unmask the input.
Control an Click the on the map to display the output control menu for the output.
output
Use these options to initiate output actions:
l On — Activate the output.
l Off — Deactivate the output.
l Pulse — Pulse the output.
Display video Click the on the map to display the Camera Video window.
Open a linked Click to display a linked map, or to display a linked map.

map
Map Actions 56
To... Do this...
Monitor the If there is a Mustering dashboard configured on the map, it may appear as a line
dashboard of text or as a shape with text inside.
The dashboard displays the number of identities in the area and may include the
name of the area. In Example map of a muster station on the third floor on
page 53, the dashboard is the gray square.
Click the dashboard to see a list of all the identities that are in the area. Click
outside the pop-up dialog to hide the identities list. Click the First Name or Last
Name to view the identity.
Adding Maps
Follow the steps below to add maps.
1. Click Monitor > Maps. The Map Templates (Monitor) list displays.
2. Click Add Map Template.
The Map Template: Add page displays.
3. Enter a name for the Map in the Name field.
4. To:
l Upload a file, select File and click Browse then select the file to upload in the Choose File to
Upload dialog box and click Open.
l Create a blank canvas, select Blank Canvas.
5. To resize the image, enter resizing proportions in the Re-size To fields.
6. Click to save the map.
The Map Template: Edit page displays.
Monitoring Bosch Intrusion Panels

The following procedures relate to monitoring Bosch intrusion panels.
Monitor Bosch Intrusion Panel Status

The intrusion panel status displays the current status of all connected intrusion panels. For example, if the
power and communications of the intrusion panel is normal, the Online status will be displayed and a
message will appear when you hover over the power and communications icons.
To monitor intrusion panel status:
Adding Maps 57
1. Select Monitor > Bosch Intrusion Status.
2. View the list that displays.
The following statuses display for panels:
l Communications
l Battery
l Power
l Tamper
l Phone Line
The following statuses apply to all of the above:
Online
Alarm
Trouble
Note: To view more detail on the status, hover over the status icon to view a pop-up message
(e.g. hovering over an Alarm status indicator in the Comm column might return the message
'Not connected, verify configured IP and port').
3. If you want to narrow the list that displays use the filter function. Enter a panel name to filter the list
results by panel. Type in the name (or part of the name) of the panel and the list will update as you
type.
4. If you want to sort the list, click to sort in ascending order, or to sort in descending order in each
column.
Monitoring Areas in Bosch Intrusion Systems
Note: If displays on the Areas tab, it indicates at least one of the areas is in alarm.
Viewing Areas
To monitor the areas of all connected intrusion panels and send commands to them:

2. Click the Areas tab.
A status is displayed for each area.
Armed
Ready to Arm
Monitoring Areas in Bosch Intrusion Systems 58

Not Ready to Arm
Partial Arm
Trouble
Alarm
Note: To view more detail on the status, hover your mouse over the status icon to view a
tooltip. For example, hovering over an Armed status indicator displays 'All On Instant Arm'.
3. To find an area quickly, do any of the following:

l Type the area name in the Filter box.
l Select a status in Status.
l Click the column heading to sort the lists.
Arming Areas
1. Select the areas to be armed.
2. Click Primary and select the arming option.
o Instant Arm - Arm all points for the selected areas instantly.
o Delay Arm - Arm all points for the selected areas with an entry/exit delay.
o Force Instant Arm - Arm all points for the selected areas instantly, regardless of their current
state.
o Force Delay Arm - Arm all points for the selected areas with an entry/exit delay, regardless of
their current state.
Arming Perimeter Areas

1. Select the areas to be armed.
2. Click Perimeter and select the arming option.
o Instant Arm
o Delay Arm
o Force Instant Arm
o Force Delay Arm
Disarming Areas
1. Select the areas to be disarmed.
2. Click Disarm.
Silencing Keypad Alarms

1. Select the areas that are in alarm.
2. Click Silence.
Arming Areas 59
Clearing Alarms
1. Select the areas that are in alarm.
2. Click Clear Alarms.
Resetting Sensors
1. Select the areas.
2. Click Reset Sensors.
The reset time is 5 seconds. During the reset time, alarms from the points associated with the selected
areas will be ignored.
Monitor Bosch Intrusion Panel Points

The intrusion panel points displays the current status of all connected points. For example, if a point has been
bypassed, the bypassed status will display and a message will appear when you hover over the status icon.
To monitor intrusion panel point status:

2. Click the Points tab.
3. View the list that displays. A status is displayed for each point.
The following statuses apply to all of the above:
Normal
Faulted
Bypassed
Trouble
Note: To view more detail on the status, hover over the status icon to view a pop-up message
(e.g. hovering over an Bypassed status indicator might return the messages such as 'Open',
'Missing' or 'Normal').
4. If you want to narrow the list that displays, either:

l Use the filter function. Enter a point name to filter the list results by point. Type in the name (or
part of the name) of the point, area, or panel and the list will update as you type.
l Select a single status (e.g. Faulted) to view.
column.
6. If you want to bypass or unbypass a point:
l Select the point (or points) in the list, and
l Click either the Bypass or Unbypass button.
Clearing Alarms 60
Note: Some points in the system may not be bypassed due to configuration settings. Trying to
bypass these points will result in no state change.
Monitor Bosch Intrusion Panel Outputs

The Bosch intrusion panel outputs display the current status of all connected outputs. For example, if a output
is active, the Active status will display and a message will appear when you hover over the status icon.
To monitor intrusion panel outputs status:

2. Click the Outputs tab.
3. View the list that displays. A status is displayed for each output - the available statuses are:
Inactive
Active
Trouble
4. If you want to narrow the list that displays, either:
l Use the filter function. Enter an output name to filter the list results by output. Type in the name
(or part of the name) of the output, or panel and the list will update as you type.
l Select a single status (e.g. Active) to view.
column.
6. If you want to activate or deactivate an output:
l Select the outputs in the list, and
l Click either the Activate or Deactivate button.
Monitoring and Controlling DMP Intrusion Systems

Select Monitor > DMP Intrusion Status to monitor the status of all connected DMP intrusion panels, areas,
zones and outputs, and send commands to them.
Viewing Panels, Areas, Zones and Outputs
Note: is displayed when at least one of the objects in the tab is in Critical or Unknown condition.
Monitor Bosch Intrusion Panel Outputs 61

l
Type the name of the panel, area, zone or output in the filter box ( ) in their respective tabs.
l Click to enter a checkmark to filter items by the following statuses.
Normal Online and working.

Examples: Area is armed. Zone is in the expected state.
Warning Warning condition.
Examples: Area is disarmed. Zone is bypassed.
Critical Critical condition.
Examples: Area is armed with alarm. Zone is in not in the expected state or
in alarm state.
Unknown Unknown condition.
l Panels tab only. View the connection status.
Encryption Fails Encrypted connection or remote key failed.
For more information about the panel setting, see Panel Encryption on
page 447.
Incompatible DMP firmware version is not supported.
For more information, see Prerequisites on page 446.
Offline Panel is not connected.
Online Panel is online.
Tip: Hover your mouse over the status box to view a tooltip.
l Click the column heading to sort the lists.
Silencing Keypad Alarms on Panels

1. Click the Panels tab.
2. Select one or more panels.
To select all items, click the first column heading.
3. Click Silence Alarm.
Resetting Sensors on Panels

1. Click the Panels tab.
2. Select one or more panels.
3. Click Reset Sensors.
Silencing Keypad Alarms on Panels 62

Arming or Disarming Areas
1. Click the Areas tab.
2. To arm an area:
a. Select one or more areas in Disarmed status.
b. In Bad Zone Action, select the action for a zone in an area that might not be in the expected
condition at the time of arming.
l Bypass: All bad zones are bypassed.
l Force: All bad zones are force armed.
l Refuse: No zones are armed until the zone is restored.
c. Click Arm.
The area is Armed.
3. To disarm an area:
a. Select one or more areas in Armed status.
b. Click Disarm.
The area is Disarmed.
Bypassing Zones and Resetting Bypassed Zones

1. Click the Zones tab.
2. To bypass a zone:
a. Select one or more zones in Open alarm status.
b. Click Bypass.
3. To reset a bypassed zone, click Reset Bypassed.
The zones in the area are Armed.
Arming or Disarming Areas 63

Activating and Deactivating Outputs
1. Click the Outputs tab.
2. To activate an output:
a. Select one or more outputs in Off (unpowered) status.
b. In Activate, choose:
l Steady: Turns on and remains 'on' until the area is disarmed, an output cutoff expires, or
the output is reset.
l Momentary: Turns on only once for one second.
l Pulse: Alternates one second 'on' and one second 'off.'
l Temporal Code: For the duration of the bell cutoff time, repeats half second 'on' and half
second 'off' (three times) followed by 2.5 seconds 'off.'
c. The output is On (powered).
3. To deactivate an output:
a. Select one or more outputs in Pulse (intermittently on and off) or On status.
b. Click Deactivate.
c. The output is Off (unpowered) status.
Activating and Deactivating Outputs 64

Identities
The Identities screen gives you access to all tokens and operators of the system. An identity is added to the
system when a new user needs access to the site. For example, when a person is hired. Access to a site may
be physical access to an area or access to the ACM system to manage the site.
Physical access to the site allows a user to access areas and doors. Access to the ACM system allows users
to manage the site, such as adding users or monitoring events.
For a user to have access to the system or physical access to the site, they must have an identity.
l If the user requires access to the system, they are issued a login and password. This allows the user to
access areas of the system. The areas of the system the user has access to depends on their role.
l If a user requires physical access to the site, they are issued a token. The token gives the user physical
access to the site. This allows the user to access areas on the site. The areas the user has access to
depends on their role in the system.
Identities 65
Configuring HID Mobile Access® Credentials
Before you can issue HID Origo tokens, you must configure HID Origo. For more information, see:
l Prerequisites below
l Step 1: Connecting to the HID Origo External System below
l Step 2: Enrolling Identities and Issuing Tokens on the next page
Prerequisites
You need access to HID Origo configuration information in the HID Origo Management Portal.
1. Create an HID Origo account, log in and go to Organization Administration.

2. Add a System Account and enable Mobile Identities to communicate with ACM.
3. Select the Password credential type and enter a password. (Only password credentials are supported
by ACM. PKI credentials are not supported.)
For more information, refer to HID mobile access documentation.
Step 1: Connecting to the HID Origo External System
Note: Before you begin, obtain the Organization ID and user account information from the HID Origo
Management Portal.
Important: Connecting more than one ACM system to the same HID Origo account is not
recommended.
To connect to HID Origo in ACM:
Configuring HID Mobile Access® Credentials 66

1. Select > External Systems.
2. Click the HID Origo tab.
3. Enter:
Appliance The name of the ACM appliance.
Authentication Portal The URL of the HID authentication portal.
Management Portal The URL of the HID management portal.
Customer ID The Organization ID.
User Name The Client ID of the system account.
Password The password for the system account.
Partitions Displayed for a partitioned ACM appliance only. To restrict operator access
to the item, select one or more partitions. To allow all operators access to
the item, do not select a partition.
Installed Enables communication between the ACM appliance and HID Origo after
saving.
4. Click the Create button.
After the connection is saved, see Step 2: Enrolling Identities and Issuing Tokens below.
Step 2: Enrolling Identities and Issuing Tokens
Note: Before you begin, configure the Enroll Settings section in the HID Origo Management Portal.
To enroll an identity and issue an HID Origo token:
1. Select Identities > Identities and click Search to select an identity already created.
If you need to add an identity, see Adding an Identity on page 69.
If you need to add a role, see Adding an Access Group on page 112 and Assigning an Access Group to
a Role on page 115.
2. Click the Tokens tab and enter:
Token Type HID Origo
Mobile ID Type The mobile ID to be issued to the registered device.
For other field descriptions, see Token Fields on page 81.
3. Click Enroll. An invitation is sent to the email address of the identity.

4. Instruct the identity to follow the steps in the email, including clicking an app store link to install the
HID Mobile Access app and then clicking the invitation code link to enroll.
5. After the identity accepts the invitation, the HID Origo token will be available in their mobile app.
Issuing a Token to an Enrolled Identity on a Registered Mobile Device

If you need to issue to an identity an additional credential with a different mobile ID, you can issue another
Step 2: Enrolling Identities and Issuing Tokens 67

token:
1. Click Add Token on the Tokens tab and enter:

Token Type HID Origo
Mobile ID Type The HID mobile card that is not already issued to the device.
2. Click Issue Token.

3. Select the mobile device in the Device Selector.
4. Click Submit. The token is displayed in the list of tokens in the ACM application. Another token is
displayed in the HID Mobile Access app.
Registering a New Mobile Device for an Enrolled Identity

If an identity has swapped devices or if an invitation has expired, you can send another invitation:
1. Click Send Invitation on the Tokens tab.

2. Instruct the identity to follow the steps in the email, including clicking an app store link to install the
HID Mobile Access app and then clicking the invitation code link to enroll.
Searching for HID Origo Tokens

To search for HID Origo tokens that were issued, or are being issued, to identities:
1. Select Identities > Identities.

2. Use Identity Search to find an identity.
l In Search Field, select HID Origo Token Status.
l In Search Value, select Issued or Issuing. To search for both statuses, leave blank.
3. Click Search.
Searching for an Identity

Use Identity Search to find an identity.
1. Fill out the following fields:

l Last Name field.
l (Optional) First Name and/ or Internal Number fields.
l (Optional) Group field.
Blank entries will return all identities.
Note: Identities using SALTO devices only. First Name and Last Name are required. Identities
using HID Origo tokens only. First Name, Last Name and Email Address are required to enroll
Registering a New Mobile Device for an Enrolled Identity 68

the identity in HID Origo. Identities using DMP intrusion panels. Identities are defined by their
DMP user name, ID and DMP panel name.
2. Add other search criteria.

a. Search Field drop down list.
b. Search Value field.
c. Click Add Criteria to add another search field and value.
To clear all fields, click Clear Search.
To remove a search row, click Remove.
3. To the right of the Search button, select either:
l And to find all identities that fit all entered criteria.
l Or to find identities that fit one or more of the entered criteria.
4. Click Search.
The page displays your search results.
Adding an Identity
A person with an identity record in ACM can be issued a badge to enter the physical site. A user of the ACM
software can be issued a login and password.
To add a new identity:
1. Select Identities.
2. Click Add Identity.
If Identity Profiles are configured, select the profile for the identity and click OK. The Identity Add page
appears with the details of the identity profile. Otherwise, click Cancel.
3. Fill out the Last Name field and the required details.
Note: Additional fields can be added using the User Forms or User Lists feature. Identities
using SALTO devices only. First Name and Last Name are required. Identities using HID Origo
tokens only. First Name, Last Name and Email Address are required to enroll the identity in
HID Origo.
4. Click Save.
5. Assign roles to the identity as required on the Roles tab and click .
To add an item, select it from the Available list and click .
To remove an item, select it from the Members list and click .
Tip: Use Shift + Click to select items in sequence. Use Ctrl + Click to select individual items.
6. Enter the token details as required on the Tokens tab.

By default the Download checkbox is selected, which downloads the token to the connected panels
and associated doors. Identities using SALTO devices only. Click the Download button, which
downloads the token to the SALTO server and door. Identities using ASSA ABLOY IP devices only.
Click the Download button, which downloads the token to the DSR and door.
When you are finished, click .

7. Add more details about the identity on the following tabs:
l Roles: Assigns a role to this identity.
l Tokens : Creates a token for the identity.
l Groups: Assigns the identity to a group.
l Capture: Takes a photo of the user.
l Photos: Uploads an existing photo of the user.
l Badge: Assigns a badge to the user.
l Timed Access: Assigns timed access to the user.
l Access: View the identity's access privileges including roles, access groups and doors.
l Transactions: View transactional data associated with the identity.
l Audit: View a log of all the changes that have been made to this identity.
The default Enrollment Operator role does not have access to this tab. Contact your System
Note: The labels of the built-in tabs, such as Identity and Tokens, may be renamed by your
System Administrator. A custom form or User Defined Tabs with User Defined Fields may be
added at the end of the list.
Assigning Roles to Identities
A role defines what a user has access to. For identities to have access to the system or physical access to the
site, they must be assigned a role. Each role contains access groups and/or delegations. Access groups allow
a user to have physical access to the site. Delegations allow a user to have access to the system. The user
will be assigned a role depending on their position in the organization.
To assign roles to an identity:
1. Click Identities.
2. From the Identities Search page, perform a search for an identity.
For more information, see Searching for an Identity on page 68.
3. Click on the name of the identity you want to edit.
4. Select the Roles tab.
5. From the Available list, select all the roles that you want to assign to the user, then click .
The role is added to the Members list to show that it is now assigned.
To remove a role from the user, select the role from the Members list, then click .
Note: You can select multiple items by using the Ctrl or Shift key.
6. Click Save.
Assigning Tokens to Identities

Tokens are used to authenticate individuals and allow or deny them physical access to your site. Tokens are
assigned to personnel identity records along with access cards, biometric data such as fingerprints, or
connected devices such as smartphones with apps that can be presented for authentication at readers.
To further restrict access, identities can be assigned to specific roles within your site.
To create tokens and assign them to an identity:
1. Select Identities > Identities.

2. Search for an identity.
3. Click the name of the identity you want to edit.
4. Select the Tokens tab.
5. If only one token has been defined, the Token: Edit page appears.
If more than one token has been defined, the Tokens list appears. Click Add Token.
Assigning Roles to Identities 71

6. Enter the details as required.
Note: If you are assigning HID Origo tokens, see Configuring HID Mobile Access® Credentials
on page 66.
7. Click and then to return to the identity search.

8. Click Download to download the token to the connected panels and associated doors.
9. To assign this token to a badge, select the Badge tab.
From the Badge Token drop down list, select the internal number you want to assign to the badge.
10. Click .
Assigning Groups to Identities

Groups are used to group physical and/or system components. Groups are assigned to identities primarily for
batch updates. For example, if all the badges are close to expiry and they are assigned to the same group,
the expiration date can be extended through a batch job.
To assign groups to an identity:
2. From the Identities Search page, perform a search for an identity.
3. Click on the name of the identity you want to edit.
4. Select the Groups tab.
5. From the Available list, select all the groups that you want to add the user to, then click .
The group is added to the Members list to show that the user is now a member.
To remove a user from a group, select the group from the Members list, then click .
Note: You can select multiple terms by using the Ctrl or Shift key.
6. Click Save.
Deleting a Token
To delete a token:
1. On the Tokens tab of an identity, click Delete.

2. Click OK.
Assigning Groups to Identities 72

Capturing and Uploading Photos of an Identity
Note: Using photos taken directly from a mobile phone is not supported. To maintain the aspect ratio
of a photo, you need to download it to your computer and then upload it to the ACM system for
editing, as described below.
Capture or upload photos of a person from the Photos tab on a person's Identity page. Then you can select a
photo from this page to appear on that person's Identity page or printed on an access badge.
Captured photo: A photograph taken by a badge camera connected to your computer and to the ACM
system, and saved in the ACM system. Captured photos are in JPG format.
Uploaded photo: A graphics file in JPG, PNG, or or GIF format that you upload from any location your
computer can access and save in the ACM system. Typically, you would upload a JPG file for access badges.
Note: The Microsoft Edge web browser supports only the uploading of JPG files. Do not attempt to
upload any other file format if you are using the ACM client in the Microsoft Edge web browser.
Photos saved in the ACM system can be cropped, resized, and rotated to meet the standardized
requirements of the badge templates defined in your system.
You can use two types of cameras as a badge camera to capture a photo:
l Local Camera — Any camera connected directly to your computer or built into your computer or
monitor.
l IP-based camera — Any IP-based camera previously connected to your network and added to your
ACM system.
Before you can:

l Use a camera to capture photos, you must specify the badge camera you want to use in your user
profile. For more information, see External Systems - Defining the Badge Camera for the System on
page 434.
l Generate and print a badge, at least one badge template must be defined in your system.
After a photo has been added to the Photos tab of an identity, you can edit the photo to suit the requirements
of your badge templates. Then you can create a badge with that photo. For more information, see Creating
Badges for Identities on page 77.
Capturing a photo

1. There are two ways to access the Capture page:
l
From the Identities Search page, click from the Image Capture column.
l From the Identities Search page, click on the name of an identity, select the Photos tab, then
click Capture a Photo.
2. If you are using:
a. A local camera that you have not used before, this page will not appear unless you allow your
web browser to access your camera. The first time you access the Capture page, you are
prompted to allow your browser to access your local camera. Click Allow.
b. An IP-based camera and the camera requires authentication, this page will not appear until you
have entered your login credentials.
Enter a user name and password, then click OK.
The Capture page appears, with the live preview from the camera showing on the right.
3. Click Capture.
The page refreshes to show the captured photo on the left and the live preview on the right.
A cropping overlay is imposed over the photo, The aspect ratio of the overlay is determined by the
values set on the System Settings page for Badge Template Photo Height and Badge Template
Photo Width.
4. Click:
l
Save to save the photo that part of the image highlighted in the cropping overlay is saved.
Cropping the photo using this aspect ratio ensures that the photo will fit exactly into the photo
area on the badge without any distortion.
l
Save and Edit to save the photo and open the photo editing tool, or Save to add the
photo directly to the Photos tab.
5. On the Photos tab, select the Primary checkbox if you want this photo to appear on this person's

Identity page and access badge.
6. Click Save.
Uploading a photo
1. From the Identities Search page, click on the name of an identity, select the Photos tab, then click
Upload a Photo.
The screen expands to include more fields.
2. Click Choose File and navigate the directory to find the photo you want to upload.
Click Open to select the photo. You can upload files in JPG, PNG, or GIF format.
3. On the Photos tab, click the Primary checkbox if you want this photo to appear on this person's
Identity page and access badge. If no primary photo is selected, the first photo on the list is used.
4. Click Save.
Editing a photo
You can edit a captured photo when you first save it by clicking Save and Edit. You can edit any saved
photo by clicking on its filename link or thumbnail photo on the Photos tab.
The photo is displayed with a brighter cropping overlay imposed over it. The overlay is preset to the Badge
Photo aspect ratio. This ratio is determined by the values set on the System Settings page for Badge
Template Photo Height and Badge Template Photo Width. Cropping the photo using this aspect ratio
ensures that the photo will fit exactly into the photo area on the badge without any distortion.
Use the mouse in combination with the control buttons under the photo to crop, resize, rotate and flip the
photo. You cannot edit the actual photo, or change its resolution by zooming in and out. The dimensions
shown in the Crop Box options are read-only and cannot be entered directly, but are dynamically updated as
you manipulate the cropping overlay with the mouse.

1. Adjust the overlay.
l To reposition the overlay over the photo:
a. Click inside the cropping overlay.
b. Drag the mouse to move the overlay.
l To resize the overlay
a. Click on the bounding frame. The mouse cursor will change to indicate the direction the
overlay can be resized.
b. Resize the overlay. The selected aspect ratio (usually the Badge Photo aspect ratio) is
retained.
l To change to a different aspect ratio:
Click to select the required aspect ratio.
l To resize the overlay freely:
a. Click Free.
b. Click on the bounding frame. The mouse cursor will change to indicate the direction the
overlay will be resized.
c. Drag the mouse to resize the overlay. The overlay will be resized only in the direction of
the cursor.
l To rotate the overlay:
a. Click outside the current overlay.
b. Drag the mouse to draw a new overlay.
l To replace the overlay:
a. Click outside the current overlay.
b. Drag the mouse to draw a new overlay.
2. Adjust the photo.
l To enlarge or reduce the photo:
Use the + and - magnifier control buttons to adjust the photo size in stepped increments.
l To reposition the photo:
Use the up, down, left and right control buttons to adjust the photo position in stepped
increments.
l To rotate the photo:
a. Use the counterclockwise circular arrow to rotate the photo to the left by 90°.
b. Use the clockwise circular arrow to rotate the photo to the right by 90°.
l To flip the photo:
a. Use the horizontal double-ended control button to flip the photo left to right.
b. Use the vertical double-ended control button to flip the photo top to bottom.
l To reset the photo:
Use the reset control button to cancel your changes and revert the photo to its previously
saved version.

3. Save the photo:
Click Save.
The Photos tab is displayed with the saved photo.
When you save the photo, that part of the image highlighted in the cropping overlay is saved.
Note: The saved photo replaces the original photo. The original photo cannot be restored.
Specifying the Primary photo
If you have several photos saved on the Photos tab, the first photo is used on that person's Identity page and
is selected by default for the access badge. To use another photo instead, select the Primary checkbox of
the photo you want.
Deleting a photo
To delete a photo from the Photos tab:
1. Click .
2. Click Save.
Creating Badges for Identities

Badges are identification cards that are used to verify a user's identity or association to an organization.
Badges may also be used as access cards if they are printed directly on the person's RFID badge.
Note: Before you can print a badge, you must connect a badge printer to the network and configure
it. For instructions on how to configure your badge printer, refer to the printer's user guide.
To create a badge for a user:
2. From the Identities list, click on the name of the identity you want to edit.
3. Select the Badge tab.
4. From the Badge Photo drop down list, select a photo for this badge.
Only the photos that have been previously uploaded or captured for this identity appear in this list.
5. From the Badge Token drop down list, select the token you want to associate with this badge.
Only the tokens that have been previously defined for this user appear in this list.
6. From the Badge Template drop down list, select the badge template that you want to use for this
badge.
Only the badge templates that have been previously defined appear in this list.
Creating Badges for Identities 77

7. Click Save.
8. To print the badge, click Create Badge.
The badge appears in a preview window.
9. Click Print.
Note: When printing the badge, ensure that the Header and Footer settings are turned off or set to
blank.
Timed Access
Timed access allows you to schedule access to a specific set of doors or access groups for one badge-holder
identity. It is useful for providing temporary restricted access to your site for visitors, contractors, temporary
employees, and so on.
Use timed access:

l By door to provide short-term restricted access to your site for visitors, contractors, temporary
employees, and so on; for example, to allow a contractor to access only the doors needed to access
the work site. Each timed access applied to a door adds a new access level to the panel attached to
the door, and panels are restricted to a maximum of 254 access level entries. There is a risk that
overuse of this feature without deleting entries can cause the number of access levels on a heavily
used door, such as a front door, to exceed this maximum.
l By access group to provide groups of badge-holders access to specific areas for restricted times; for
example to access canteen areas during meal hours, or parking garages during the working day. The
risk of access levels accumulating is much reduced by using access groups.
Note: All timed access deletions must be done manually. There is no automatic clean-up of timed
access entries.
To find a timed access entry for an identity:
2. Search for the identity. For more detail refer to Searching for an Identity on page 68.
3. Click on the name of the identity. The Identity: Edit page displays.
4. Click on the Timed Access tab.
To add a new timed access entry for an identity:
Timed Access 78
1. Find the timed access entry for the identity.
3. Complete the fields on the tab. Refer to the guidelines above to select the appropriate timed access
type.
4. Click Add.
The new timed access entry is added to the timed access list. If the timeframe for an entry is currently
active it will display in green. Timeframes for timed access are not checked against schedules. If a
timed access entry is displayed in green but is not working, check any related schedules.
Note: You cannot edit a timed access entry. To change the details of an entry, delete the timed
access entry and add a new one.
To delete a timed access entry for an identity:
1. Find the timed access entry for the identity.

3. View the timed access list.
4. Click to delete the related timed access entry.

5. Click OK when the message 'Are you sure you want to delete <name>' displays.
The message 'Successfully deleted the timed access entry <name>' displays.
Note: All deletions must be done manually. There is no automatic clean-up of timed access entries.
Adding Timed Access to an Identity

To add a new timed access entry for an identity:
2. Search for the identity. For more information, see Searching for an Identity on page 68.
3. Click the name of the identity.
4. Click the Timed Access tab.
5. Complete the following fields:
l Name
l Type
l Appliance
l Available/Members
Adding Timed Access to an Identity 79

l Start Day/Time
l End Day/Time
l Schedule (if doors are selected as the Type)
6. Click Add.
The new timed access entry displays in the timed access list. If the timeframe for an entry is currently
active it will display in green. Timeframes for timed access are not checked against schedules. If a
timed access entry is displayed in green but is not working, check any related schedules.
Editing Timed Access

There is no functionality to edit a timed access entry. If you want to change the details of an entry, then:
l Delete the timed access entry. For more detail, refer to Deleting Timed Access below.
l Add a new timed access entry. For more detail, refer to Adding Timed Access to an Identity on the
previous page.
Deleting Timed Access

To delete a timed access entry:
2. Search for the identity. For more detail refer to Searching for an Identity on page 68.
3. Click on the name of the identity.
5. View the timed access list.
6. Click to delete the related timed access entry.

7. Click OK when the message 'Are you want to delete <name>' displays.
The message 'Successfully deleted the timed access entry <name>' displays.
Note: All deletions must be done manually. There is no automatic clean-up of timed access entries.
Editing an Identity
An identity must be edited when user information changes. For example if a user changes roles, their identity
would need to reflect this. If the role is not updated, the user would not be able to access areas required for
their new role.
To edit an existing identity:
Editing Timed Access 80

2. Search on the Identity Search screen, then click on the identity you want to edit.
3. Navigate through the tabbed pages and make the required changes.
l Identity: The identity details.
l Roles: Assigns a role to this identity.
l Tokens : Creates a token for the identity.
l Groups: Assigns the identity to a group.
l Capture: Takes a photo of the user.
l Photos: Uploads an existing photo of the user.
l Badge: Assigns a badge to the user.
l Timed Access: Assigns timed access to the user.
l Access: View the identity's access privileges including roles, access groups and doors.
l Transactions: View transactional data associated with the identity.
l Audit: View a log of all the changes that have been made to this identity.
The default Enrollment Operator role does not have access to this tab. Contact your System
Note: The labels of the built-in tabs, such as Identity and Tokens, may be renamed by your
System Administrator. A custom form or User Defined Tabs with User Defined Fields may be
added at the end of the list.
Note: Remember to click to save the changes on each page.
Token Fields
Add or edit a token for an identity on the Token tab in Identities:
Token Type Displays only for ViRDI, PIV and PIV-I, SALTO, and HID Origo tokens:
l Default: For all other types of tokens.
l VIRDI Biometrics: Only if ViRDI system settings have been applied.
l PIV or PIV-I: Only if pivCLASS system settings have been applied. See
Appendix: pivCLASS Configuration on page 529.
l SALTO
l HID Origo
Token Fields 81
Mobile Application Type Displays only for SALTO tokens.
Default is None.
JustIn Mobile refers to the SALTO JustIN Mobile application that is installed on

the mobile phone of the identity.
Note: When issuing mobile keys, the encoder requires access to the
internet.
Mobile ID Type Displays only for HID Origo tokens.

The mobile ID to be issued to the registered device.
Mobile Phone Number Displays only for SALTO tokens.
The mobile phone number in international format (plus sign and no spaces).
+ country code, area code, phone number
Example: +12345678910
Note: The mobile app must be installed on the mobile phone of this
phone number.
User ID Displays for ViRDI Biometrics only; read-only field. The ID number for the token
assigned from the range configured when the ViRDI external system was
configured.
Embossed Number The number to be printed on a badge.
Only required for physical access cards.
Does not display for ViRDI Biometrics and SALTO tokens.

Internal Number The internal number that is assigned automatically to the token. This value is
downloaded to panels to enable the token's access permissions.
Note: Duplicate numbers are not allowed in the ACM system. Ensure
the configuration of mobile IDs in HID Origo prevents duplicate
credential numbers.
Does not display for SALTO tokens.

CHUID See Appendix: pivCLASS Configuration on page 529.
Token Fields 82
PIN When a PIN is required, the PIN number that the user will be required to enter at
a keypad card reader.
Does not display for ViRDI Biometrics tokens.

Token Status The status of the token may be set manually and then updated by the system as
follows:
l Active: The Not Yet Active token is set to Active when the current date is
past the Activate Date.
l Expired: The Active token is set to Expired when the current date is past
the Deactivate Date.
l Inactive: The Active token is set manually to Inactive without further
update.
l Not Yet Active: The token is not active yet.
Issue Level A number from 0 to 999999999, representing the issue level of the token.
Example: If a 3-digit length was configured on the Card Format: Edit page, you
can enter 123 for the issue level of the card.
For more information, see Issue Level Numbering for Reusing a Card Number on
page 325.
Last Area The last area the token gained access to.

APB Exempt A checkbox to exempt this token from anti-passback.
For more information, see Anti-Passback Modes on page 215.

Trace A checkbox to enable the trace feature for the token. This will generate a trace
event each time the token is used to gain access. The event can then be sent to
monitoring, reported separately, and used in global I/O configurations.

Download A checkbox to allow the token to be downloaded to connected panels. Default is
enabled.
SALTO tokens. Click the Download button, which downloads the token to the
SALTO server and door.
Never Expire The token never expires.
Extended Door Times A checkbox to give the token extended access time.
Once enabled, the door remains unlocked for a longer period of time than the
standard access time to accommodate users that may require more time to enter
a door.
Standard and extended access times are specified on the Door Edit page.
Token Fields 83
Office Displays for SALTO tokens only.
A checkbox to enable the token to activate Office mode for a door that is
configured for Office mode, which allows the cardholder to leave the lock open.
To use this mode, the cardholder presents the key to the door while pressing
down the inner handle and repeats the procedure to undo the mode.
Set Lockdown Displays for SALTO tokens only.
SALTO standalone doors only. A checkbox to enable lockdown mode for a door

that has a lock that can support manual lockdown. For more information about
lockdown in the SALTO system, refer to SALTO systems documentation.
To use this mode, the cardholder presents the key to the door's inside reader
and repeats the procedure to undo the mode.
Override Privacy Displays for SALTO tokens only.
A checkbox to allow the cardholder to access a door locked from the inside at
any time.
Override Lockdown Displays for SALTO tokens only.
A checkbox to allow the person to access a door closed from the inside during
lockdown state.
Audit Openings Displays for SALTO tokens only.
SALTO standalone doors only. A checkbox to audit the use of keys in

standalone doors. Audits automatically occur in online doors.
Enable Revalidation Displays for SALTO tokens only.
A checkbox to specify a period for revalidating a key before it becomes invalid.

To make the token valid again, the cardholder can present the token to the
online wall reader at any time.
For example, a key requires revalidation every seven days, if the update period
is set to 7 days. If the key is used on the third day, the update period is reset. If
the key is not used for over seven days, the key becomes invalid.
Pin exempt A checkbox to exempt the token from PIN entry at a keypad card reader.
Not supported for ASSA ABLOY IP doors.

Use/ Lose exempt A checkbox to prevent this token from expiring if you know the identity will return
after an extended period of inactivity.

Create Time Stamp When a token was issued to the mobile device of the identity.
Issue Date The date the token was issued. Click the field to use the calendar.
Activate Date The activation date for the token. Click the field to use the calendar.
Token Fields 84
Deactivate Date The deactivation date for the token. Click the field to use the calendar.
In ACM 6.18 and later releases, there is no deactivate date for the token that has
Never Expire enabled.
Last Door The last door the token was used to gain access.
Last Used The last time the token was used to gain access.
1 free pass Displays when editing ViRDI Biometrics tokens only. From the drop-down list,
select a door.
Click 1 free pass to allow the user to enter the door without generating an APB
error.
Enroll Displays only for HID Origo tokens.
Sends an invitation email with app download instructions and invitation code in
order that the identity can redeem the issued token.
Note: First Name, Last Name and Email Address are required to enroll
the identity in HID Origo.
Issue Token Displays only for HID Origo tokens. Only applicable after the identity is enrolled.
Issues a mobile ID to the selected device.
Send Invitation Displays only for HID Origo tokens.
Registers a new mobile device.
Note: After the invitation is accepted, issue a token to this device.
Add another token.

Add Token
Save and Enroll Displays only for ViRDI Biometrics tokens. It is active when the Biometric
Enrollment (BE) Manager is running.
Click the button to save your changes and open the BE Manager to enroll and
register the fingerprint for the identity.
The button is grayed out if the BE Manager is not running:
If your ACM client is running in a Chrome or Firefox web browser, and the

BE Manager is running although this button is grayed out, you can initiate a
connection by opening the URL https://avobiometric.loc:9875/ in your web
browser.
Token Fields 85
Click this button to save your changes.
Click this button to discard your changes.
Token Fields 86
Managing Roles
The Roles feature allows you to define the access control permissions and application permissions that are
available in the system. After roles are defined they can be assigned to identities, depending on the type of
access control or application functions they are permitted to have.
When you select Roles, the following options are displayed:

l Roles — Displays the Roles list, the starting page for this feature.
l Policies — Displays the Policies list.
l Groups — Displays the Groups list.
l Access Groups — Displays the Access Groups list.
l Delegations — Displays the Delegations list.
l Partitions — Displays the Partitions list.
l Routing Groups — Displays the Routing Groups list.
l Elevator Access Levels — Displays the Elevator Access Levels list.
Configuring Roles
A role is a container for all the permissions an ACM operator needs in the ACM system to perform a specific
function in the organization. Each role can include access groups, delegations, routing groups, and role-
assignment privileges.
l An access group contains all the doors and elevator access levels that a badge holder needs to
access.
l A delegation is a list of permissions for the functionality within the ACM system that allows an ACM
operator to configure settings and monitor events.
l A routing group allows an ACM operator to monitor specific event types and hardware components.
l Within the role, you can also specify which roles an operator can assign to other people.
After you have defined access groups, delegations, routing groups, and role-assignment privileges, you can
assign them to the appropriate roles, and then assign the roles to identities in the system.
Adding a Role
A Role defines a set of permissions in the ACM application that allow users to perform specific functions.
Note: Define your required access groups, delegations, and routing groups before you configure
roles.
To add a new role:
Managing Roles 87
1. Select Roles > Roles.
2. Click Add Role and enter a name for the new role.
Or, click to create a copy of an existing role.
Note: A copy of a child role includes the link to the parent role. A copy of a parent role does
not include any of the child roles.
3. Complete the remainder of the page with the required details.
4. Click Save.
The Role Edit screen is displayed.
5. Select the Access Groups tab to assign access groups to the role.
6. Select the Delegate tab to assign delegations to the role.
7. Select the Routing tab to assign routing groups to the role.
8. Select the Asgn Roles tab to specify role-assignment privileges. Operators with this role can only
assign the specified roles in this list to other people in the system.
9. Select the Access tab to view access groups, doors, and identities associated with this role.
10. Select the Audit tab to view a log of all the changes that have been made to this role.
11. Click Save.
Editing a Role
To edit an existing role:
1. Click Roles.
2. From the Roles list, click on the role you want to edit.
3. Navigate through the tabbed pages and edit the details as required. The tabbed pages include:
l Role Edit: use this page to edit general settings for the role.
l Access Groups: use this page to assign access groups to the role.
l Delegate: use this page to assign delegations to the role.
l Routing: use this page to assign routing groups to the role.
l Asgn Roles: use this page to specify role-assignment privileges. Operators with this role can
only assign the specified roles in this list to other people in the system.
l Access: use this page to view access groups, doors, and identities associated with this role.
l Audit: use this page to view a log of all the changes that have been made to this role.
Editing a Role 88
Assigning an Access Group to a Role
You must assign an access group to a role to make it effective.
1. Select Roles > Roles.

2. Select the Access Groups tab.
3. Select the access groups that you want to add to the role.
4. Click Save.
All the people with the role now have the access permissions defined by the access group.
Assigning Delegations to a Role

To assign delegations to a role:
1. From the Roles drop-down menu, select Delegations.

2. From the list of roles on the Delegations panel, click on the role you want to edit.
3. From the Available list, select all the delegations that should be part of the role then click .
The delegation is added to the Members list to show that it is now part of the role.
To remove a delegation from the role, select the delegation from the Members list and click .
Tip: You can select multiple terms by using the Ctrl or Shift key and move them with one
click.
4. Click Save.
Assigning Routing Groups to a Role

To assign routing groups to a role:

1. Click Roles.
3. Select the Routing tab.
4. From the Available list, select all the routing groups that should be part of the role, then click .
The routing group is added to the Members list to show that it is now part of the role.
To remove an routing group from the role, select the routing group from the Members list, then click .
5. Click Save.
Assigning Roles
The Asgn Roles tab allows you to authorize members of this role to assign specified roles to other users.
To specify these permissions:
1. Click Roles.
3. Select the Asgn Roles tab.
4. From the Available list, select all the roles you want to allow members of this role to assign to others,
then click .
The role is added to the Members list.
To remove a role from the list, select the role from the Members list, then click .
5. Click Save.
Deleting a Role
To delete an existing role:
Note: Default roles cannot be deleted.
Assigning Roles 90
1. Select Roles.
2. From the Roles list, click beside the role that you want to delete.
3. When the confirmation message is displayed, click OK.
Searching for Roles

View all the roles that have been configured in the ACM system on the Roles page.
To narrow down the search results:
1. Select Name, Installed, Default, Start Date or Stop Date in Search Field.
2. Select the search operator in Search Value and type in your search.
3. Optional. To refine your search, click Add Criteria, repeat the above steps, and select the And or Or
search operator (located next to the Search button).
To remove a single criteria row, click Remove. To clear all fields, click Clear Search.
4. Click Search.
The results are displayed.
Name The name of the role.
Click the name to edit the role.
Parent The parent of the role.
Click the name to edit the role.
Child Roles The child roles of the parent role.
Installed The role is currently operational and available to the system, if enabled.
indicates it is disabled.
Click the icon to change the setting.
Default The role is assigned automatically when adding a new identity.
indicates it is disabled.
Note: Changing this setting does not affect any existing identity. It is only
applied when a new identity is created. For example, you can change
these settings to enroll several identities with the same set of roles in a
single session, or use them to define a common set of roles applicable to
all identities.
Start Date The activation date and time for the role. Default is today's date at time of role
creation.
Searching for Roles 91

Stop Date The deactivation date and time for the role; for example, 12/31/2037
23:59:59. In ACM 6.18 onwards, there is no stop date for the role that has Never
Expire enabled.
Create a Copy Click to create a copy of an existing role.
Note: A copy of a child role includes the link to the parent role. A copy of
a parent role does not include any of the child roles.
Delete Click to delete the role from the database.
Note: Default roles cannot be deleted.
Add Role Click the button to add a new role.

Create New Click the button to generate a report of all the roles in the system.
Report
Role Fields
Add or edit a role on the Roles > Roles page:
Name The name of the role.

Only the roles that have been defined in the system appear in the drop down list.
The child role will inherit all the access permissions defined in the parent role. Also,
you cannot delete a parent role until you delete all its children.
Note: This is an advanced feature and is only recommended for

experienced operators.
Start Date The activation date and time for the role. Default is today's date at time of role
creation.
To use the calendar, click the field.
Date and time are displayed in the local time of the ACM appliance.
Stop Date The deactivation date and time for the role; for example, 12/31/2037 23:59:59.
To display the field and use the calendar, remove the checkmark in Never Expire
before you click the field. In ACM 6.18 onwards, there is no stop date for the role that
has Never Expire enabled.
Date and time are displayed in the local time of the ACM appliance.
Never Expire The role never expires. For a new role, the setting is enabled by default.
Role Fields 92
Installed The role is currently operational and available to the system, if enabled.
Default The role is assigned automatically when adding a new identity.
Activating this setting does not affect any existing identity. It is only applied when a
new identity is created. You will have to edit existing identities if you want this role
applied to them.
Partitions Displayed for a partitioned ACM appliance only. To restrict operator access to the
item, select one or more partitions. To allow all operators access to the item, do not
select a partition.
Roles - Access Groups page

When select the Access Groups tab, the Access Groups page is displayed. Access groups are sets of
physical access permissions including doors and elevator access levels. For more information on access
groups, see Managing Door Access on page 112.
This page allows you to assign access groups to this role.
Feature Description
Available A list of access groups that have been configured in the system.
To assign an access group to this role, select the access group, then click .
Members A list of access groups that have been assigned to this role.
To remove an access group from this role, select the access group, then click .
Roles - Delegate page

When you select the Delegate tab, the Delegate page is displayed. Delegations are sets of permitted
commands within the ACM application. For more information on Delegations, see Managing Access in the
Application on page 118.
This page allows you to assign delegations to the role.
Roles - Access Groups page 93

Feature Description
Available A list of delegations that have been configured in the system.
To add a delegation to this role, select the delegation from the Available list, then click to
move it to the Members list.
Members A list of delegations that have been assigned to this role.
To remove a delegation from this role, select the delegation from the Members list, then click
to move it to the Available list.
Roles - Routing page

When you select the Routing tab, the Routing page is displayed. Routing groups allow certain users to
monitor specific event types and components during a specified time interval. For more information on
Routing, seeRouting Events to the Monitor Screen on page 127.
This page allows you to assign routing groups to the role.
Feature Description
Available A list of routing groups that have been defined in the system.
To assign a routing group to this role, select the routing group, then click .
Members A list of routing groups that have been assigned to this role.
To remove a routing group from this role, select the routing group, then click .
Roles - Assign Roles page

When you select the Asgn Roles tab, the Asgn Roles page is displayed. This page allows you to specify
which roles that members of this role can assign to other identities. For example, suppose you want to allow a
Badge Administrator to assign roles for access rights to the facility. However, you might not want to allow a
Roles - Routing page 94

Badge Administrator to assign Super Admin or Monitoring Supervisor to a user.
Feature Description
Available A list of roles that have been configured in the system.
To allow members of this role to assign a specific role to other identities, select the role, then
click .
Members A list of roles that the user is allowed to assign to others.
To remove a role from this list, select the role, then click .
Roles - Access page

When you select the Access tab from the Role: Edit screen, a list of parent and child roles, identities, access
groups, and doors associated with this role is displayed.
Feature Description
Child Roles The child roles of the parent role.
Click + or - beside each role to show or hide the identities that are associated with that role.
Identities The identities that are members of the role.
Click + or - beside the parent role to show or hide the access groups and doors that are
assigned to that role.
Access The access groups that are assigned to the role.
Groups
Doors The doors that are assigned to the role.
Roles - Audit page

When you select the Audit tab, the Audit page is displayed, a log of all the changes that have been made to
this role is displayed.
Feature Description
Date The date and time when this role was modified.
Operator The user that modified this role.
Attribute The specific role detail that was modified.
Roles - Access page 95

Feature Description
Before Identifies what the role detail was before it was modified.
If the cell is blank, there was no previous value.

After Identifies what the role detail was changed to.
Create New Click this button to create a PDF report with the details on this page.
Report
Configuring Policies
Policies define access regulations for doors, inputs, and outputs. For example, you can specify the number of
allowed PIN attempts at a keypad entry or the length of time a user is allowed to stay in an area. Use policies
to override the settings that have been configured for individual doors, inputs, and outputs.
For doors, you can also define Priority Door policies for high-priority and emergency situations. A Priority
Door Policy replaces the current settings for a group of doors, including settings applied by other door
policies, priority and non-priority global actions, job specifications, and macros.
Priority-enabled policies are intended to support the emergency operating procedures at your site, including
potentially life-threatening situations (such as fires, tornadoes, earthquakes, physical attacks), and hazardous
situations (such as chemical spills, gas leaks, explosions). These policies require special permissions to
configure, and use specific options to operate. For more information, see Priority Situations on page 458 and
Triggering Door Lockdown By Panic Button or Red Card on page 469.
Policies are enabled through the Groups feature. After you have created a policy, you must assign it to a
group of hardware components to make it effective. All users and security devices that are assigned to the
group are affected by the policies that are in the group.
A policy is in effect when it is installed on the ACM appliance.
Adding a Policy
To add a new policy:
1. Select Roles > Policies.

2. Click Add New Policy.
The Policy Add page appears.
3. Fill out the Name field.
4. Select the hardware types that you want to override. The options include Door, Input, and Output.
5. Click Save.
When the page refreshes, the Policy Edit screen is displayed.
Configuring Policies 96
6. Depending on the options you selected on the Policy Add page, this screen may have any of the
following tabbed pages:
l Select the Mercury tab to override settings for doors that are connected to a Mercury Security
panel.
l Select the Input tab to override settings for inputs.
l Select the Output tab to override settings for outputs.
Editing a Policy
To edit an existing policy:

The Policies list appears.
2. Click on the policy you want to edit.
The Policy Edit screen appears.
3. Navigate through the tabbed pages and make the required changes. Depending on the options you
selected on the Policy Add page, this screen may have any of the following tabbed pages:
l Mercury: use this page to configure a policy for doors that are connected to a Mercury Security
panel.
l Input: use this page to configure a policy for inputs.
l Output: use this page to configure a policy for outputs.
Deleting a Policy
To delete an existing policy:
2. From the Policies Listing page, click beside the policy that you want to delete.
Policies list
When you select Roles > Policies, the Policies list is displayed. This page lists all the Policies that have been
configured in the system.
Features Description
Name The name of this policy.
Click the name to edit the policy details.
Editing a Policy 97
Features Description
Installed
Indicates if this policy is communicating with the appliance. Yes ( ) or No ( ).
Click the icon to change the status.

Door Indicates whether this policy affects doors.
Input Indicates whether this policy affects inputs.
Output Indicates whether this policy affects outputs.
Delete Click to delete this policy from the database.
Add New Policy Click this button to add a new policy.
Create New Report Click this button to generate a report of all the policies in the system.
Policies - Policy Add page

When you click Add New Policy from the Policies list, the Policy Add page appears. Enter the required
details.
Feature Description
Name Enter the name of this policy.
Partitions Displayed for a partitioned ACM appliance only. To restrict operator access to the item, select
one or more partitions. To allow all operators access to the item, do not select a partition.
Installed Check this box to indicate that this policy is currently operational and available to the system.
Door Check this box to affect doors with this policy.
Input Check this box to affect inputs with this policy.
Output Check this box to affect outputs with this policy.
Policies - Policy: Add page

When you click on the Policy tab, the Policy Edit page is displayed. This page allows you to edit general
policy settings.
Make any changes that may be required.
Feature Description
Name Enter the name of this policy.
Installed Check this box to indicate that this policy is currently operational and available to the system.
Policies - Policy Add page 98

Feature Description
Door Check this box to affect doors with this policy.
Input Check this box to affect inputs with this policy.
Output Check this box to affect outputs with this policy.
Policies - Mercury Security page

When you select the Mercury tab, the Mercury page is displayed. This page allows you to configure a policy
that can be applied to a group of doors connected to a Mercury Security panel.
CAUTION — If no Door Mode is selected for this policy and you do not select a schedule or select
Never Active and the policy is applied to a group of doors after a non-priority Global Action has been
triggered, the Door Mode is set to Card Only regardless of the higher-priority setting applied by the
Global Action.
Field Description
Priority Click this checkbox to specify this is a Priority Door Policy. This option is only enabled when
the values in the Lock Mode and Custom Schedule options are correctly configured.
The settings in a Priority Door Policy are applied to all Mercury Security doors and panels that
the policy is associated with when it is activated. A Priority Door Policy is intended as a
response to priority situations, such as unpredictable emergencies. For detailed instructions,
see Priority Situations on page 458.
Name Enter the name of this door policy.
Access Type Select the access type for this door policy.
Lock Mode For a wireless door, select the lock mode to be set by this door policy.
Select None if you are configuring a Priority Door Policy. This setting is used with the setting
in the Custom Schedule option to enable the Priority checkbox.

Field Description
Door Mode Select the entry mode for the door when the door controller is online and communicating
with the panel.
Important: You must select a Door Mode and for every door policy you create. If a
Door Mode is not selected:
l The policy is not available to use for a Door Override.

l The Door Mode may be set to Card Only if the policy is installed after a non-
priority Global Action has been triggered.
Offline Door Select the entry mode used for the door if the door controller is no longer communicating
Mode with the panel. The Offline Door Mode is no longer supported if the door controller is
connected to an LP4502 panel that has replaced an HID VertX panel.
Note: In many cases readers in offline mode require a very simple solution for entry
or exit because of the memory limitations. The recommended Offline Door Mode
option is Locked No Access.
Custom Select an additional door mode that will be active during the time specified in the Custom
mode Schedule field.
Custom Define when the Custom Mode would be active.
Schedule
Select a schedule from the drop down list. Only schedules that have been defined in the
system are listed.
Important: Select 24 Hours Active if you are configuring a Priority Door Policy. This
setting is used with the setting in the Lock Mode option to enable the Priority
checkbox.
APB mode Select the Anti-Passback (APB) mode for this door policy.
For more information on Anti-Passback modes, see Anti-Passback Modes on page 215.

APB delay Enter the number of seconds before another APB entry is allowed.
Into Area Select the area that the user enters by passing through a door.
Only the areas that have been previously configured in the system appear in this list.
Out of Area Select the area that the user exits by passing through a door.
PIN timeout Enter the number of seconds that is allowed for a user to enter a PIN before it times out.

Field Description
PIN attempts Enter the number of times a user can attempt to enter a PIN before an Invalid PIN event is
generated.
LED mode Select the LED mode to specify how the reader LEDs are displayed.
For more information on LED modes, see LED Modes for Mercury Security on page 322.
Held pre- Enter the number of seconds a door can be held open before a pre-alarm is issued.
alarm
Instead of generating an alarm, it sends a warning signal to the Access Control Manager
server.
Access time Enter the number of seconds a door remains unlocked after a card has been swiped.
when open
Standard Enter the number of seconds a door remains unlocked after access has been granted.
access time
If the door is not opened within this time, it will automatically lock.
Held open Enter the number of seconds a door can be held open before a Door Held Open event is
generated.
Extended Enter the number of seconds a door remains unlocked after access has been granted to
access token holders with extended access permissions.
This feature is useful for users that may require more time to enter a door.
Extended Enter the number of seconds a door can be held open for users with extended access
held permissions.
Strike Mode Select the strike mode.
l Cut short when open — the strike is deactivated when the door opens.
l Full strike time — the strike is deactivated when the strike timer expires.
l Turn off on close — the strike is deactivated when the door closes.
Mask Forced Specify when Forced Door events are masked.
During
system are listed.
Mask Held Specify when Door Held Open events are masked.
During
system are listed.
Always Mask From the drop down box, select TRUE to mask all Forced Door events.
Forced
Always Mask From the drop down box, select TRUE to mask all Door Held Open events.
Held
Door Processing Attributes
Enable Select TRUE to allow the user to enter their card number digits at the a keypad entry.
cipher mode
Deny duress Select TRUE to deny access to a user that indicates duress at a door.

Field Description
Don't pulse Select TRUE to disable the pulse of the door strike when request-to-exit is activated.
door strike
on REX For a policy for SimonsVoss wireless lock doors that do not support a door position switch
(DPOS) , this box must be set to TRUE.
Require two Select TRUE to specify that two tokens are required to open a door. This enforces two-
card control person entry rule.
Door forced Select TRUE to filter Forced Door events.
filter
In case a door is slow to close or is slammed shut and bounces open for a few seconds, this
filter allows three seconds for a door to close before generating an event.
Log grants Normally, the system will log a single message for a card swipe and opened door. If you
right away select TRUE, this will log two separate messages: one when access is granted and another
when the door is opened. This event is not turned into an Access Control Manager event.
Log all Select TRUE to log all access grants regardless of whether or not the door was opened.
access as
used
Detailed Select TRUE to generate detailed events of all hardware at the door including door position
events masking, timer expiration and output status.
This feature is useful for circumstances where it is important to know all the details of an
event.
Use shunt Select TRUE to enable the use of shunt relay for this door.
relay
Do not log Select TRUE to disable logging of request-to-exit transactions.
Rex
transactions
Create New Click this button to generate a PDF report on this door policy.
Report
Policies - Input page

When you click the Input tab, the Input page is displayed. This page allows you to configure a policy for
inputs.
Feature Description
Name Enter the name of this input.
Debounce Select the number of units (approximately 16 ms each) allowed for debouncing.
Entry Enter the number of seconds allowed for entry before this input issues an alarm.
Delay
Exit Delay Enter the number of seconds allowed for exit before this input issues an alarm.
Policies - Input page 102

Feature Description
Hold Time Set the amount of time that the alarm will stay in alarm after returning to normal.
For example, if the input point goes into alarm, then restores, it will hold it in that alarm state for
1 to 15 seconds after it returns to normal before reporting the normal state.
Logging Enter the type of logging you need for this input. Valid values are:
l Log all changes: Log all changes affecting this input.
l Do not log CoS if masked: Log all changes except change of state events if the input is
currently masked.
l Do not log CoS of masked & no trouble CoS: Log all changes except change of state
events if the input is currently masked and there are no trouble CoS events.
Schedule Define when the input is masked. When the schedule is active, the input will be masked.
Mode Enter the mode used for this input. The available options are:
l Normal: The door input is a normal door contact.
l Non-latching: The door input is a non-latching contact.
l Latching: The door input is latching contact.
EOL Select the EOL resistance value you need for this input.
resistance
Only those EOL resistance values previously defined for this system appear in this list.
Enabled Check this box to indicate that this input is connected and ready to communicate with the
Access Control Manager host.
Masked Select TRUE to indicate that this input is normally masked.
Policies - Output page

When you click the Output tab, the Output page is displayed. This page allows you to configure a policy for
outputs.
Feature Description
Name Enter the name of the output.
Enabled Check this box to indicate that this output is connected and ready to communicate with the
Mode Select the output mode.
Pulse Enter the pulse interval time. This is the number of seconds that the output will activate when a
Time pulse command is issued. This field is only available on outputs not associated with doors (e.g.
auxiliary relays).
Schedule Select a schedule from the drop down list. Only schedules that have been defined in the system
are listed.
Policies - Output page 103

Feature Description
Policies - Audit page

When you click the Audit tab, a log of all the changes that have been made to this policy is displayed.
Feature Description
Date The date and time when this policy was modified.
Operator The user that modified this policy.
Attribute The field that was modified.
Before The value in the field before this change took effect.
If this cell is blank, it indicates that there was no previous value.

After The value in the field after this change took effect.
Create New Report Click this button to generate a PDF of this audit history.
Configuring Groups
The groups feature allows you to group hardware components (cameras, doors, etc.) and/ or system
components (identities, roles, etc.). Groups are useful for various functions, including:
l Applying identity profiles to many people at a time using the batch update feature.
l Applying door templates to many doors at once using the batch update feature.
l Enabling operators to monitor specific event types and hardware components through routing groups.
l Assigning policies to override settings on a group of hardware components.
Note: Groups should not be confused with Access Groups. For more information on Access Groups,
see Managing Door Access on page 112.
Adding a Group
To add a new group:
1. Select Roles > Groups.

2. Click Add New Group.
The Group Add page appears.
4. Click
Policies - Audit page 104

Save.
When the page refreshes, the Group Edit screen is displayed.
5. Navigate through the tabbed pages and edit the details as required. The tabbed pages include:
l Group: use this page to rename the group and select partitions
l Policies: use this page to assign policies to the group.
l Members: use this page to add components to the group.
l Audit: use this page to view a log of all the changes that have been made to this group.
Editing a Group
To edit an existing group:

The Groups list is displayed.
2. Click the name of the group you want to edit.
The Group Edit page appears.
3. Navigate through the tabbed pages and make the required changes. The tabbed pages include:
l Group: use this page to edit the group name and view the current policies and members in the
group.
l Policies: use this page to select the policies in the group.
l Members: use this page to select the components in the group.
l Audit: use this page to view a log of all the changes that have been made to this group.
Assigning Policies to Groups

To assign policies to a group:

2. From the Groups list, click on the name of the group you want to edit.
3. Select the Policies tab.
4. From the Available list, select all the policies that you want to assign to the group, then click .
The policy is added to the Members list to show that it is now assigned.
To remove a policy from the group, select the policy from the Members list, then click .
Editing a Group 105

5. Click Save.
Assigning Members to Groups

A group can contain any number of members. Members of a group can be hardware items (cameras, doors,
etc) and/or system items (identities, roles, etc).
To assign members to a group:

2. From the Groups list, click on the name of the group you want to edit.
3. Select the Members tab.
4. From the Type drop down list, select the type of item you want to add to the group.
Once you select a type, the relevant items will appear in the Available window.
NOTE: If there are ten or more entries in the list in the Available window, a standard Search will display
- this can be used to narrow the list. If there are more than 2,000 entries then an Advanced Search will
display to enable you to narrow the list.
5. FromtheAvailablelist,selectalltheitemsthatyouwanttoassignasmembersofthegroup,thenclick .
The item is added to the Members list to show that it is now assigned.
To remove a item from the group, select the item from the Members list, then click .
6. Click Save.
Creating a Hardware Group for Routing

To use routing groups, you must create a group that contains the event sources of interest. The event
sources must be hardware components. For more information on routing groups, see Routing Events to the
Monitor Screen on page 127.

The Group Add page is displayed.
Assigning Members to Groups 106

4. Select a partition for the hardware group.
This is important for routing if you do not want operators in different partitions to see this hardware
group.
5. Click Save.
The Group Edit screen is displayed.
7. From the Type drop-down list, select a type of hardware component.
Note: Do not select Identity or Role, since they are not routable.
8. Select the hardware components that you want to add to the group.
9. Repeat the previous two steps if you want to add different types of hardware components to the
group.
10. Click Save.
Using Policies to Override Hardware Settings

2. Create a policy. For more information on how to create a policy, see Adding a Policy on page 96.
The Group Add page appears.
5. Fill out the Name field, then click .

When the page refreshes, the Group Edit screen is displayed.
6. Select the Policies tab.
7. Select the policy that you want to assign to the group, then click .
9. From the Type drop-down list, select a type of hardware component.
Note: Do not select Identity or Role, since they will not be affected by the policy.
10. Select the hardware components that you want to override, then click .
The hardware in the group are now overridden by the specified policy.
Using Policies to Override Hardware Settings 107

Performing an Identity Batch Update
The Batch Update feature allows you to assign an identity profile to many people at a time.
Note: You will need at least one identity profile and a group of identities to perform a batch update.
You can perform a batch update from either the Identity Profiles page or Groups page.
Performing a Batch Update from the Identity Profiles page

1. Select Identities > Profiles.
2. On the Identity Profiles list, click in the Batch Update column beside the identity profile you want
to apply.
The Batch Update dialog box pops up.
From the Group drop down list, select a group.
3. Click OK.
All the identities in this group are updated with the identity profile.
Performing a Batch Update from the Groups page

2. From the Batch Update column, click beside the group that you want to edit.
3. From the Identity Profile drop down list, select an identity profile.
4. Click Save.
All the identities in the group are updated with this identity profile.
Performing an Identity or Template Batch Update

The Batch Update feature on the Roles page allows you to assign an identity profile to a group of identities, or
a door template to a group of doors from the same manufacturer. This is useful for applying new or modified
standard settings to a group of identities or doors.
WARNING — There is a risk of losing a door template batch update report due to blocked pop-ups in your
web browser. When a door template batch update is performed on a group of doors, a report is generated
that you can save to your local system. If pop-ups from the ACM client are blocked by your web browser, the
report cannot be saved. Your web browser will notify you that the pop-up is blocked, and offer you the option
to unblock the pop-up. To save the report (and all future reports), you must enable pop-ups in your web
browser from your ACM client. For instructions on how to enable pop-ups, refer to the Help files for your web
browser.
Performing an Identity Batch Update 108

2. From the Batch Update column, click beside the group of identities or group of doors that you
want to update.
3. From the drop-down list, choose the identity profile or door template you want to apply to members of
this group.
Only the identity profiles or door templates previously defined by the system appear in this list.
4. Click Save.
Note: If you are doing a door template batch update on a group of doors, you will either be
prompted to save the report generated by the system (if pop-ups from the ACM client are
unblocked) or your web browser will notify you that the pop-up has been blocked.
All members in this group now have the field values defined by the identity profile or door template.
Scheduling an Identity or Door Batch Update

To schedule a batch update:

2. Click from the Scheduler column.

The Job Specification - General dialog box displays.
3. Fill out the details as required.
4. Click Next.
The Job Specification - Schedule dialog box displays.
5. From the drop down list, specify how often you want this update to occur.
Depending on the value you select, additional fields appear.
6. Fill out the details as required.
7. Click Next.
The Job Specification - Summary dialog box displays.

8. Click Submit to schedule this job.
The job is scheduled.
Deleting a Group
To delete an existing group:
Scheduling an Identity or Door Batch Update 109

2. From the Groups list, click beside the group that you want to delete.
Groups list
When you select Roles > Groups, the Groups list is displayed. This page lists all the Groups that have been
configured in the system.
Feature Description
Name The name of this group.
Click the name to edit the group details.

Members The number of members assigned to this group.
Policy The number of policies assigned to this group.
Batch Update Click to perform a batch update.
Scheduler Click to schedule one or more batch updates.
Delete Click to delete this group from the database.

Add New Click this button to add a new group.
Group
Create New Click this button to generate a report of all the groups in the system.
Report
Groups - Group Add page

When you click Add New Group from the Groups list, the Group Add page appears. Enter the required
details in each tab.
Name Enter the name of this group.

Policies Select the policies that you want associated with this group.
Members Select the members that you want associated with this group.
Groups - Group Edit page

When you click the Group tab, the Group Edit page is displayed. This page allows you to change the name of
this group and view which policies and identities are currently associated with this group.
Groups - Policies page

When you select the Policies tab, the Policies page is displayed. Policies are access regulations that you can
Groups list 110

establish for doors, inputs, and outputs. For more information on policies, see Configuring Policies on
page 96.
This page allows you to assign policies to this group.
Feature Description
Available A list of policies that have been configured in the system.
To assign a policy to this group, select the policy from the Available list, then click to move
it to the Members list.
Members A list of policies that are currently associated with this group.
To remove a policy from the group, select the policy from the Members list, then click to
move it to the Available list.
Groups - Members page

When you select the Members tab, the Members page is displayed. Groups can contain any number of
hardware items (cameras, doors, etc) and/or system items (identities, roles, etc).
This page allows you to assign components to the group.
Feature Description
Type Select the component type you want to add to this group.
Once you select a type, the relevant components will appear in the Available window.
Available A list of available components in the system.
To assign an component to this group, select the component, then click .

Members A list of components that are assigned to this group.
To remove a component from this group, select the component, then click .
Groups - Members page 111

Groups - Audit page
When you click the Audit tab, a log of all the changes that have been made to this group is displayed.
Feature Description
Date The date and time when this group was modified.
Operator The user that modified this group.
Attribute The field that was modified.
Before The value in the field before this change took effect.
If this cell is blank, it indicates that there was no previous value.

After The value in the field after this change took effect.
Create New Click this button to generate a PDF of this audit history.
Report
Managing Door Access

Access groups are sets of physical access permissions for doors and elevator access levels.
You must configure doors before you can create access groups. If you want to control access to the floors of
a building, you should configure elevator access levels beforehand as well. For more information on elevator
access levels, see Managing Elevator Access on page 132.
After you have created an access group, you must assign it to a role to make it effective. This allows members
of the role to access the specified doors and elevator access levels in the access group.
Adding an Access Group

To control access to the floors of your building, you must create elevator access levels. For more information,
see Managing Elevator Access on page 132.
Tip: It is recommended that you configure doors and elevator access levels before you create
access groups.
To add a new access group:
1. Select Roles > Access Groups.

2. Click Add Access Group and enter a name for the new access group.
Or, click to create a copy of an existing access group.
Note: A copy of an existing access group includes only the member's doors in your partition.
The copy does not include any of the roles or identities that are associated with the existing
Groups - Audit page 112

access group.
3. Select an appliance to manage the access group.

4. Complete the remainder of the page.
For more information, see Access Group Fields on page 116.
5. Click Save.
The Access Group: Edit page is displayed.
6. Select the doors you want to add to the access group.
7. Click Save.
Tip: If a message indicates the Advanced Schedule option cannot be enabled when saving,
do any of the following:
l Save the schedule without Advanced Schedule selected. Some doors only support
basic schedules.
l Find the access groups using the schedule and select another schedule.
8. After you have created an access group, you must assign it to a role to make it effective. For more
information, see Assigning an Access Group to a Role on page 89.
Editing an Access Group

The Access Groups list appears.
2. Click the name of the access group that you want to edit.
The Access Group Edit page appears.
l Edit: use this page to edit the access group
l Access: use this page to view the doors, roles, and identities that are in this access group
l Audit: use this page to view a log of all the changes that have been made to this access group.
Editing an Access Group 113

Deleting an Access Group
Note: You can only delete access groups that are not linked to any roles.
Before you can delete an access group, you must remove the access group from the associated role. For
more information, see Assigning an Access Group to a Role on page 89.

The Access Groups list is displayed.
2. From the Access Groups list, click beside the access group that you want to delete.
Access Groups - Example

Here is a scenario to exemplify the use of Access Groups: A user is assigned a role and a token. The assigned
role may contain one or more access groups. Each access group specifies access permissions to one or
more doors and panels during a certain time interval. When a token is downloaded, it receives access
permissions to doors that have been specified by the role.
A working example is:
1. Create a role called "HR Role" that includes two access groups.
l Access Group 1 has Schedule 9 am-5 pm M - F and Door "Front Door" on Panel 1.
l Access Group 2 has Schedule 11 am-2 pm M - F and Door "Break Room Door" on Panel 2.
2. Assign a user to the HR Role.
3. Create a token for the user called Token A with the internal number 12345.
To download these access permissions to the appropriate panels, the program must perform these
operations:
l Assign an access group to Panel 1 with a schedule of 9 am - 5 pm M - F and Door "Front Door". Name
this Access Group 1.
l Assign an access group to Panel 2 with a schedule of 11 am - 2 pm M - F and Door "Break Room Door".
Name this Access Group 2.
l Download Token A to Panel 1 - Token Number 12345, AG 1.
l Download Token A to Panel 2 - Token Number 12345, AG 2.
Deleting an Access Group 114

Assigning an Access Group to a Role
You must assign an access group to a role to make it effective.
1. Select Roles.
2. In the Roles list, click the role you want to edit.
3. On the Role Edit page, select the Access Groups tab.
4. Select the access groups that you want to add to the role.
5. Click Save.
All the people with this role now have the access permissions defined by the access group.
Searching for Access Groups

View all the access groups that have been configured in the ACM system on the Roles > Access Groups
page.
1. Select Name, Schedule, Installed, Door or Partitions in Search Field.

To remove a single criteria row, click Remove.
4. Click Search.
Name The name of the access group.
Click the name to edit the access group.
Appliance The name of the appliance that manages the access group.
Installed
indicates the access group is communicating with the appliance.
indicates communication is disabled.

Door The number of doors associated with the access group.

Roles The roles that the access group is assigned to.
Create a Click to create a copy of an existing access group.
Copy
Note: A copy of an existing access group includes only the member's doors in
your partition. The copy does not include any of the roles or identities that are
associated with the existing access group.
Delete Click to delete the access group.
Note: You cannot delete access groups that have been assigned to a role.
Add Click the button to add a new access group.

Access
Group
Create Click the button to generate a report of all the access groups in the system.
New
Report
Access Group Fields

Add or edit an access group from Roles > Access Groups:
Name The name of the access group.

Appliance The appliance that manages the access group.
Schedule When the access group is active.
Select a schedule from the drop down list. Only schedules that have been defined in the system
are listed.
Tip: If a message indicates the Advanced Schedule option cannot be enabled when
saving, do any of the following:
l Save the schedule without Advanced Schedule selected. Some doors only
support basic schedules.
Elevator The elevator access level that applies to the access group.
Access
level Only the elevator access levels that have been defined in the system appear in this list.
Installed If selected, the access group is currently operational and available to the system.
Access Group Fields 116

Options
Note: Fields in this list are dependent on the door or device. Some commands or fields
are not supported for all doors or devices.
Privacy Override ASSA ABLOY IP-enabled door only. Enables the cardholder to override and
unlock a door that is locked from the inside after the privacy button has been pressed.
Available The available doors on the appliance.
To add a door to the access group, select the door from the Available list and click to
Members The doors that are assigned to the access group.
To remove a door from the access group, select the door from the Members list and click
Access Groups - Access page

When you select the Access tab from the Access Group: Edit screen, a list of doors, roles and identities
associated with this access group is displayed.
Feature Description
Access The name of this access group.
Group
Click the name to return to the Edit page.
Doors A list of doors that can be accessed by identities in this access group.
Roles A list of roles that are assigned to this access group.
Click + or - beside each role to show or hide the identities that are in the access group through
the role.
Identities A list of users that are members of the access group.
Access Groups - Audit page

When you select the Audit tab from the Access Group: Edit screen, a log of all the changes that have been
made to this access group is displayed.
Feature Description
Date The date and time when this access group was modified.
Operator The user who modified this access group.
Attribute The specific access group detail that was modified.
Access Groups - Access page 117

Feature Description
Before Identifies what the access group detail was before it was modified.
If the cell is blank, there was no previous value.

After Identifies what the access group detail was changed to.
Create New Click this button to create a PDF report with the details on this page.
Report
Managing Access in the Application

A delegation is a list of permissions to specific functionality within the ACM system that can be assigned to an
ACM operator (or a group of operators) using roles. For example, you can create one delegation containing
only the permissions that allow operators access to configure identity settings, and another delegations
containing only the permissions that allow operators access to monitor events.
To give an ACM operator permission to use specific functions, you create a delegation that contains only the
permissions to use those specific functions, and then assign that delegation to a role. Only when a role
assigned that delegation s assigned to an operator can the operator access these functions. For example, for
an operator to validate an SSL certificate from an LDAP server, that operator must be assigned a role that
contains a delegation that includes the Collaboration Validate Certificate permission.
After you have created a delegation, you must assign it to a role to make it effective.
Adding a Delegation
To add a new delegation:
1. Select Roles > Delegations.

2. Click Add Delegation and enter a name for the new delegation.
Or, click to create a copy of an existing delegation.
3. Click Save.
The Delegation Edit page appears.
4. Select the permissions you want to include in the delegation.
5. Click Save.
6. After you have created a delegation, you must assign it to a role to make it effective. For more
information, see Adding a Delegation to a Role on the next page.
Managing Access in the Application 118

Editing a Delegation
To edit an existing delegation:

The Delegations list appears.
2. Click the name of the delegation you want to edit.
The Delegation Edit page appears.
3. Make the required changes.
4. Click Save.
Adding a Delegation to a Role

You must assign a delegation to a role to make it effective.
1. Click Roles.
The Roles list is displayed.
The Role Edit screen appears.
3. Select the Delegate tab.
4. Select the delegations that you want to add to the role.
5. Click Save.
All the people with this role now have the access permissions defined by the delegation.
Deleting a Delegation
To delete an existing delegation:

The Delegations list is displayed.
2. From the Delegations list, click beside the delegation that you want to delete.
Delegations list
When you select Roles > Delegations, the Delegations list is displayed. This page lists all the
Editing a Delegation 119

delegations that have been configured in the system.
Name The name of the delegation.
Click the name to edit the delegation.

Members The number of tasks that are permitted in the delegation.
Create a Copy Click to create a copy of an existing delegation.
Delete Click to delete the delegation.
Add Delegation Click this button to add a new delegation.
Create New Report Click this button to generate a report of all the delegations in the system.
Delegations - Delegation: Edit page

When you click the name of a Delegation from the Delegations list, the Delegation: Edit page is displayed.
This page allows you to specify what tasks are authorized by this delegation.
Feature Description
Name Enter the name of the delegation.
Available A list of available tasks in the ACM application.
To add a task to the delegation, select the term from the Available list, then click to move it
to the Members list.
Members A list of tasks that are Members of this delegation.
To remove a task from this delegation, select the term from the Members list, then click to
Search Enter a term, then click Filter to filter the results in the Available window.
Click Clear to remove the filter.

Case- Check this box to indicate that the letters in the Search field are case-sensitive.
sensitive
Delegations - Delegation: Edit page 120

Managing a Partitioned ACM System
Tip: Refer to this information if you are performing initial configuration of an ACM appliance before
its deployment.
Partitions are separate administrative access zones within the ACM system that can be independently
managed. Since it is highly scalable, a single ACM system can be partitioned to manage access for individual
tenants in an office tower, buildings on a campus, or locations in a geographically dispersed organization.
Think of partitions as independent instances of an ACM system within your ACM system.
Partitioning is much like filtering. You can create simple functional partitions or complex special-purpose
partitions. The more complex your partitioning is, the more carefully it needs to be administered.
Note: Do not confuse areas with partitions. A partition is a separate administrative access zone
within the ACM system. An area is a physical location that requires additional access control.
Therefore, in a partitioned system, an area is configured within a partition.
In a non-partitioned system, all the items and functions are potentially available to all identities (ACM
operators and badge holders). Roles and delegations are used to restrict operator access to the functionality
and items, and access groups are used to restrict badge holders physical access.
Important: In a partitioned system, all the items and functionality that are assigned to a partition are
available only to identities who are also assigned to that partition. Within a partition, roles and
delegations are used to restrict operator access to functionality and items, and access groups are
used to restrict badge holders physical access. All partition items can be assigned to multiple
partitions.
It is recommended that an ACM system is partitioned before it is deployed, and that you use the default
System Administrator identity (with the login ID admin) to set up the partitioned system.
Items not assigned to any partition belong to an unnamed partition, called the blank partition, and are
available to all identities. Treat the blank partition as a separate partition that everyone can access. For badge
holders, use the blank partition to contain the doors to common areas, which might include building
entrances, parking garages, elevators, and the like, which all badge holders can access. For ACM operators,
use the blank partition to contain the common items, which any operator can configure.
Tip: Alternatively, you can create dedicated common partitions , which might be more practical for a
geographically dispersed partitioned ACM system, and keep the blank partition empty.
When configuring an:
Managing a Partitioned ACM System 121

l Identity–Assigning an ACM operator to one or more partitions restricts the operator to items in their
assigned partitions and those not assigned to any partition. Not assigning an operator to any partition
restricts the operator to items not assigned to any partition.
l Item–Assigning an item to a partition restricts who can see or edit the item to ACM operators assigned
to that partition. If you assign all partitions to an item, the item can be viewed by all operators EXCEPT
those not assigned to any partition. If you do not select a partition, any ACM operator can edit the item.
After partitions are configured, the Partition drop-down menu appears as a configuration option for any
object that can be assigned to a partition.
Planning a Partitioned System

Ideally, plan how to partition your ACM system before you deploy it. It is much easier to deploy a partitioned
system and then provision it than it is to add partitions to an already deployed system and reconfigure it all
over again. If partitioning is not properly planned out and tested before it is operational, there is a risk that
items may be hidden (inaccessible) to the users that need them to do their jobs properly.
Some of the considerations you should keep in mind when planning your partitions:
l Centralize control.
Always use the default system administrator identity to set up partitions. This identity always has full
access to all partitions.
l Limit ACM operator access to partitions.
Only allow the ACM operators who are responsible for access control operations within a partition
permission to access that partition. To enforce this:
o Create a custom admin role for the ACM operator identities assigned to administer a partition.
Configure this role and its delegations so that the system administrator of a partition is
prevented from creating partitions or assigning themselves to other partitions.
o Create custom roles with the required delegations for ACM operator identities assigned other
responsibilities in a partition. Configure these roles to include only the delegations needed. The
default roles (such as monitoring, or enrollment operator) can also be used, as they are
preconfigured with the necessary delegations.
For example, to create an enrollment operator who , ensure that
o Create identity records for ACM operators restricted to specific partitions so that they cannot
view or change their own identity records. Configure the operator's identity record
(Identities>Identity) so that it is not visible to any partition that includes them as an operator
(Roles>Partitions).
Important: If you are partitioning roles or delegations, ensure that the operators assigned to
those roles and delegations also have access to the partitions.
l Keep partitions as simple as possible.

Avoid shared items within more than one partition. Ideally, set up each partition so that its physical
infrastructure is completely separate from the other partitions. For example, no door should be in more
Planning a Partitioned System 122

than one partition. A partition should consist of only the items that need to be managed within that
partition.
Some examples are:
o Doors and elevators shared by two tenants on the same floor. Create a separate partition for
the shared doors and elevators and assign it to both tenants. The ACM operator for either
tenant can configure the doors in that shared partition and each operator can allow badge
holders to access doors in their own partition plus in the shared partition.
o A geographically dispersed ACM system with remote offices. Create a partition for each remote
office. The default system administrator can access all partitions and manage the entire system,
and a local ACM system administrator at each remote office can manage their offices' partition.
Badge holders who need access to more than one remote office can then be assigned to the
partitions of the remote offices they need to access.
Tip: If you must have partitions with duplicate items, such as doors shared by two tenants, be
aware of some of the complications that administrators or other operators with access to
some (but not all) partitions may encounter when modifying partitions. For example, you may
experience problems if you have to change the configuration of your partitions as tenants
move in or out, or increase or decrease their floorspace.
l Manage the blank partition carefully.

The blank partition contains items not assigned to any partition.
Any identity or item not assigned to a partition is defined by default to the blank partition, and is
restricted to that partition. For example, badge holders restricted to the blank partition can only open
doors in the blank partition. However, badge holders assigned to one or more partitions can open
doors in the partitions to which they are assigned and in the blank partition. Similarly, ACM operators
restricted to the blank partition can only configure items in the blank partition. However, operators
assigned to one or more partitions can configure items in the partitions to which they are assigned and
in the blank partition.
In a partitioned system, there will be a limited number of badge-holders who can access all the partitions,
such as concierge, security, service, and maintenance personnel. These personnel should be assigned to all
partitions in their identity record. Regardless of whether the system is partitioned, there should also be at
least one other ACM operator assigned the SuperAdmin role, as a backup for the default System
Administrator account for the ACM system.
Configuring a Partitioned ACM System

It is recommended that you partition your ACM system before it is operational at your site, and that you use
the default System Administrator identity (with the login ID admin) to set up the partitioned system.
Use the following workflow to set up your partitioned ACM system:
Configuring a Partitioned ACM System 123

1. Determine how many partitions you need.
2. Create a custom delegation based on the Admin delegation that excludes the Identities New and
Identities Edit delegations. For example Partition Admin Deleg.
3. Create a custom role that includes the new delegation. For example Partition Admin.
4. For each planned partition, create a new identity in the ACM system and assign it the Partition Admin
role. This identity will be assigned to the partition as its local administrator.
5. Create each partition and add the identity of its local system administrator to the partition. Both the
default system administrator and the local partition administrator identities can manage this partition.
6. Test the partitions you created before your ACM system is deployed. At the very least, each partition's
ACM operators should enroll a sample set of badge holders and monitor them as they access the
partitioned site.
After you have partitioned the system, you can use routing groups. For more information on routing groups,
see Routing Events to the Monitor Screen on page 127.
Adding a Partition
This is a basic procedure on how to add a partition. For a more advanced procedure on how to partition the
ACM system, see Configuring a Partitioned ACM System on the previous page.
Tip: It is recommended that you use the default Admin account to set up partitions.
To add a new partition:
1. Select Roles > Partitions.

The Partitions list is displayed.
2. Click Add New Partition.
The Partition Add page appears.
3. Enter a name for the new partition, then click .

The Partition Edit page appears.
4. Select the operators that you want to include in the partition.
5. Click Save.
The Partitions field now appears as a configuration option for most system settings.
Adding a Partition 124

Editing a Partition
To edit an existing partition:

The Partitions list appears.
2. Click the name of the partition you want to edit.
For a more advanced procedure on how to partition the ACM system, see Configuring a Partitioned
ACM System on page 123.
4. Click Save.
Deleting a Partition
To delete an existing partition:
2. From the Partitions list, click beside the partition that you want to delete.
Partitions - List
When you select Roles > Partitions, the Partitions list is displayed. This page lists all partitions that have
been configured in the system.
Feature Description
Name The name of this partition.
Click the name to edit the partition.

Members The number of users that have access to this partition.
Delete Click to delete this partition.
Add New Click this button to add a new partition.
Partition
Create New Click this button to generate a report of all the partitions in the system.
Report
Partitions - Add page

To add a new partition:

2. Click Add New Partition.
The Partition Add page appears.
3. Enter the name of this partition.
Editing a Partition 125

4. Click Save.
5. From the Available list, select the users that should have access to the partition, then click .
The users are added to the Members list to show that they have access to the partition.
To remove users from the partition, select the users from the Members list and click .
Partitions - Partition Edit page

When you click the name of a Partition from the Partitions list, the Partition Edit page is displayed.
This page allows you to add users to the partition.
Feature Description
Name Enter the name of this partition.
Available A list of users in the system. Only users with login credentials appear in this list.
To add a user to this partition, select the user from the Available list, then click to move it to
the Members list.
Members A list of users that have access to this partition.
To remove a user from this partition, select a user from the Members list, then click to
Assigning Partitions to ACM Operators and Entities

After a partition (or a set of partitions) is created, populate each partition with the needed items for its
deployment. Each partition should have:
l One or more ACM operators with specific responsibilities in that partition.
Any identity with login credentials to the ACM system can be a member of a partition. Membership of
an identity in a partition is assigned on the Partition: Edit page. For more information, see the
Partitions - Partition Edit page above.
Partitions - Partition Edit page 126

If you do not want the operators in this partition to be viewed by other operators in the system, go to
the Account Information section at the bottom of the Identity Edit page and assign them to the
appropriate partition.
l These ACM operators must be assigned the roles and delegations that allow them access to the ACM
system.
You can use the default roles and delegations or create new ones. You can create roles and
delegations like the default roles and delegations that are not assigned to any partition, which can be
assigned to an operator in any partition. For example, you can create an identity record for an ACM
operator responsible for enrolling other operators and badge holders in a specific partition. Assign the
default enrollment operator role and its associated delegations to that identity record, and add that
identity to the that partition.
Alternatively, you can assign roles and delegations to specific partitions. Partitions are assigned to a
role on the Roles: Edit page, to a delegation ion the Delegation: Edit page.
Important: If a role is assigned to specific partitions, operators not assigned to any of those
partitions may be prevented from accessing the ACM system, or parts of it. To avoid this,
ensure that all identities assigned the role also have access to the same partitions. You may
also have to create additional roles to access the same functionality in the other partitions.
The same is also true of delegations.
l All of the entities, such as doors and related infrastructure (policies, groups, access groups, routing
groups, and elevator access levels), within the partition's scope that allow badge holders physical
access to the site.
Membership of any entity in a partition is assigned in its edit page. Navigate to the entity's edit page
and select the partition, or partitions, from the Partitions drop-down list.
An empty, or blank, Partition field for any entity has a specific meaning. An entity not assigned to any partition
can be viewed by all ACM operators, including those not assigned to a partition. However, as soon as any
entity (which could be a badge holder, an operator, a door, or any logical entity such as an access group) is
assigned to a partition, it can only be viewed by operators assigned to that partition. An entity assigned to
more than one partition can be viewed by operators assigned to any of those partitions. When an entity is
assigned to all partitions, it can be viewed by all operators except operators not assigned to any partitions.
For example, identity records with a blank partition field can be viewed by any ACM operator. However,
identity records with one or more partitions assigned to them can only be viewed by ACM operators with
access to any of those partitions. If you assign an ACM operator to a partition, their identity record can only be
viewed by other operators assigned to that partition. Similarly, for badge holders assigned to a partition, their
identity records can only be viewed by operators assigned to that partition and their access privileges are
restricted to the reader and doors in that partition (plus readers and doors not in any partition).
Routing Events to the Monitor Screen

A routing group controls which events are routed to an operator's Monitor screen. This is achieved by
specifying event types and event sources in the routing group. Only those event types that originate from the
specified event sources will be routed. This is an advanced feature that requires the use of partitions, groups,
Routing Events to the Monitor Screen 127

and roles, and should only be configured by an experienced operator.
For example, a lobby security guard may only need to monitor people who access the building through the
front door during regular work hours, but they would not need to know about system activity in the ACM
application. You can use a routing group to ensure that the security guard only sees events related to the
lobby area.
You must set up partitions and groups before you can use routing groups. For more information on partitions,
see Managing a Partitioned ACM System on page 121. For more information on groups, see Configuring
Groups on page 104.
After you have created a routing group, you must assign it to a role to make it effective.
Routing Groups - Introduction

A routing group controls which event types and event sources are routed to the Monitor screen.
For example, a lobby security guard may only need to monitor people who access the building through the
front door during regular work hours, but they would not need to monitor operators that are logging in and
out of the ACM application.
After you have defined a routing group, only the event types produced by the event sources during the
specified schedule will be routed to the Monitor screen.
You must set up routing schedules and groups of hardware components before you can use routing groups.
Adding a Routing Group

To add a new routing group:
1. Configure partitions for the routing group. For more information on configuring partitions, see
Configuring a Partitioned ACM System on page 123.
2. Create a hardware group that contains the event sources of interest. For more information on creating
a hardware group for routing, see Creating a Hardware Group for Routing on page 106.
3. If you want to route events for specific time intervals, set up one or more schedules. For more
information on adding a schedule, see Adding Schedules (Intervals in Schedules) on page 395.
4. Select Roles > Routing Groups.
The Routing Groups list is displayed.
5. Click Add New Routing Group.
The Routing Group Add page is displayed.
6. Enter a name for the routing group.
Important: Select the appropriate partition for this routing group.
Routing Groups - Introduction 128

8. Click Save.
9. Select the Event Types tab.
10. Select the event types that you want to route.
When you're finished, click .

11. Select the Groups tab.
12. Select the group of hardware components that you want to route.
13. Click Save.

14. After you have created a routing group, you must assign it to a role to make it effective. For more
information, see Assigning a Routing Group to a Role below.
Editing a Routing Group

To edit an existing routing group:

The Routing Groups list appears.
2. Click on the routing group you want to edit.
The Routing Group Edit screen appears.
l Schedule: use this page to edit the routing group settings, including the name and schedule
l Event Types: use this page to select the event types that you want to route
l Groups: use this page to select the groups of event sources that you want to route
Assigning a Routing Group to a Role

You must assign a routing group to a role to make it effective.
Editing a Routing Group 129

1. Click Roles.
The Role Edit screen appears.
3. Select the Routing tab.
4. Select the routing groups that you want to add to the role.
5. Click Save.
All the operators with this role can now monitor the events defined by the routing group.
Deleting a Routing Group

To delete an existing routing group:
2. From the Routing Groups list, click beside the routing group that you want to delete.
Routing Groups list

When you select Roles > Routing Groups, the Routing Groups list is displayed. This page lists all routing
groups that have been configured in the system.
Feature Description
Name The name of the routing group.
Click the name to edit the routing group details.

Schedule Indicates when this routing group is active.
Event Type The number of event types that are in this routing group.
Group The number of groups that are in this routing group.
Delete Click to delete this routing group.
Add New Click this button to create a new routing group.
Routing Group
Create New Click this button to generate a report of all the routing groups in the system.
Report
Routing Groups - Add page

When you click Add New Routing Group from the Routing Groups list, the Routing Group Add page
Deleting a Routing Group 130

appears. Enter the required details.
Feature Description
Name Enter the name of this routing group.
are listed.
Schedule From the drop down list, select the option that qualifies the schedule.
Qualifier
l Appliance : Relative to the local time on the appliance when the transaction was created
within the ACM system.
l Event: Relative to the local time when the originating event occurred.
Installed Check this box to indicate that this routing group is currently operational and available to the
system.
Routing Groups - Schedule page

When you click the name of a Routing Group from the Routing Groups list, the Routing Group Schedule page
is displayed. Click on the Schedule tab to return to this page.
Feature Description
Name Enter the name of this routing group.
are listed.
Schedule From the drop down list, select the option that qualifies the schedule.
Qualifier
l Appliance : Relative to the local time on the appliance when the transaction was created
within the ACM system.
l Event: Relative to the local time when the originating event occurred.
Installed Check this box to indicate that this routing group is currently operational and available to the
system.
Routing Groups - Event Types page

When you select the Event Types tab from the Routing Group: Edit screen, the Event Types page is
Routing Groups - Schedule page 131

displayed. This page allows you to specify which event types should be routed in this routing group.
Feature Description
Routing The name of this routing group.
Group
Click this name link to return to the Schedule page.
Available A list of event types configured in the system.
To add an event type to the routing group, select the term from the Available list, then click
to move it to the Members list.
Members A list of event types that are in this routing group.
To remove an event type from the routing group, select the term from the Members list, then
click to move it to the Available list.
Routing Groups - Groups page

When you select the Groups tab from the Routing Group: Edit screen, the Groups page is displayed. This
page allows you to add groups to this routing group.
Feature Description
Routing The name of this routing group.
Group
Click this name link to return to the Schedule page.
Available A list of groups configured in the system.
To add a group to the routing group, select the term from the Available list, then click to
Members A list of groups that are in this routing group.
To remove a group from the routing group, select the term from the Members list, then click
Managing Elevator Access

An Elevator Access Level defines a badge holder's elevator access to the floors in a building.
For example, you can create an elevator access level that contains Floor 1 and Floor 3. When you add this
elevator access level to an access group, all users in that access group will have access to Floor 1 and Floor 3.
Routing Groups - Groups page 132

If you want to control elevator access during specified time intervals, you must set up schedules prior to
creating the elevator access level. For more information on schedules, see Adding Schedules (Intervals in
Schedules) on page 395. After you have created an elevator access level, you must assign it to an access
group to make it effective.
Note: This feature currently applies to Mercury Security elevator transactions in floor tracking mode.
Adding an Elevator Access Level

If you want to control elevator access during specified time intervals, you must set up schedules prior to
creating the elevator access level. For more information on schedules, see Adding Schedules (Intervals in
Schedules) on page 395.
To add a new elevator access level:
1. Select Roles > Elevator Access Levels.

The Elevator Access Levels listing page is displayed.
2. Click Add New Elevator Access Level.
3. Enter a name for the elevator access level in the Description field.
4. Select an appliance to manage the elevator access level.
5. Click Save.
6. After you have created an elevator access level, you must assign it to an access group to make it
effective. For more information, see Assigning an Elevator Access Level to an Access Group below.
Editing an Elevator Access Level

To edit an elevator access level:

The Elevator Access Levels Listing page appears.
2. Click on the elevator access level you want to edit.
The Elevator Access Level Edit screen appears.
4. Click Save.
Assigning an Elevator Access Level to an Access Group

You must assign an elevator access level to an access group to make it effective.
Adding an Elevator Access Level 133

The Access Groups listing page is displayed.
2. Click the name of the access group you want to edit.
3. From the Elevator Access Level drop down list, select the elevator access level.
4. Click Save.
All users in that access group now have access to the floors in the elevator access level.
Deleting an Elevator Access Level

To delete an existing elevator access level:
2. From the Elevator Access Level listing page, click beside the elevator access level that you want
to delete.
Elevator Access Levels list

When you select Roles > Elevator Access Levels, the Elevator Access Levels list is displayed. This page lists
all elevator access levels that have been configured in the system.
Feature Description
Description The name of this elevator access level.
Click on the name to edit the elevator access level details.

Delete Click to delete this elevator access level.
Add New Click this button to add a new elevator access level.
Elevator
Access Level
Elevator Access Levels - Add page

When you click Add New Elevator Access Level from the Elevator Access Level list, the Elevator Access
Level Add page appears. Enter the required details.
Feature Description
Description Enter the name of this elevator access level.
Appliance From the drop down list, select the appliance that manages this elevator access level.
Output Indicates the default output number.
Description The name of each floor.
The floors are named by default, but you can rename them.
Deleting an Elevator Access Level 134

Feature Description
Schedule Indicate when a card/code has free access to the specified floor, meaning a valid card/code is
not required to access this floor.
system are listed.
Elevator Access Levels - Elevator Access Level: Edit page

When you click the name of an elevator access level from the Elevator Access Level list, the Elevator Access
Level: Edit page is displayed. Make any changes that may be required.
Feature Description
Description Enter the name of this elevator access level.
Appliance From the drop down list, select the appliance that manages this elevator access level.
Output Indicates the default output number.
Description The name of each floor.
The floors are named by default, but you can rename them.
Schedule Indicate when a card/code has free access to the specified floor, meaning a valid card/code is
not required to access this floor.
system are listed.
Elevator Access Levels - Elevator Access Level: Edit page 135

Reports
The Reports screen allows you to create, edit, preview, and generate reports. Reports are used to gather
information from the system in either a PDF or Spreadsheet. Reports can be saved on your local computer
and referred to offline. For example, the Identity/Doors with Access Report can be used to view which doors
each identity has access to. You have the option of using the default system reports or customizing the
reports to fit your needs.
Generating Reports
Anytime you see PDF or Spreadsheet, you can generate and save a copy of the current report.
You can generate a copy of reports from the Reports list, the Report Edit page or from the Report Preview
page.
Generated reports will only show the filtered information that is displayed. To edit the report before you
generate it, see Editing Reports on the next page.
l
Click to save the current report as a PDF file.
l
Click to save the current report as a CSV format spreadsheet.
Most generated reports saved as PDF files contain a maximum of 2,000 records, except the Audit Log
Report, which contains a maximum of 1,000 records. Reports saved as CSV format spreadsheet files contain a
maximum of 2,000 records.
Depending on your web browser, the file may be auto-downloaded or you will be prompted to save the file to
your local computer.
Report Preview
When you click the name of a report from the Reports list and select , a preview of the selected report is
displayed.
In the preview, you can check the report to see if the report gives you the information you need, search the
report, or generate the report. For example, if you wanted to know the role of an identity, you can preview the
Identity Summary report and search for the specific identity.
You can use the following options to control what is displayed:
Reports 136
Tip: Click to filter the report. The preview bar expands to display search criteria.
Feature Description
Generate Report
The generate report options are displayed in the top left corner of the report preview.
Click this button to generate a PDF copy of the current report.
Click this button to generate a CSV or spreadsheet copy of the current report.
Preview Bar
The preview options are displayed at the bottom of the report page.
Click this icon to filter the report.
The report filter options are displayed. The options change depending on the
report.
l Click Search to perform a search using the selected filter options.
l Click Reset to clear the report filter options.
l In the drop down list beside the Reset button, choose if the search will
locate all or any transactions that match the selected report filters.
l Click Save to save and apply the selected filters to the default report.
Select the number of items you want to display on a single page.
Click this button to return to the first page of the report.
Click this button to return to the previous page of the report.
Enter the page you want to go to.
Click this button to bring up the next page of the report.
Click this button to go to the last page of the report.
Click this button to refresh the report.
Editing Reports
All reports can be edited or filtered to only display the information that you need. You can edit default system
reports and custom reports in the same way.
If you plan to use the filtered report frequently, you can create a custom report rather than modify the default
Editing Reports 137

system report every time. For more information see Creating Custom Reports on the next page.
Most generated reports saved as PDF files contain a maximum of 2,000 records, except the Audit Log
Report, which contains a maximum of 1,000 records. Reports saved as CSV format spreadsheet files contain a
maximum of 2,000 records.
Reports requiring more than 2,000 rows must be scheduled as a batch job for system performance. For more
information, see Generating a Batch Report on page 478.
1. Display the Reports list.

l To display the system reports page, click Reports.
l To display the custom reports page, select Reports > Custom Reports.
2. Click for your report.
Note: The Audit Log Report and Transaction Report do not have available. To edit, click on
the report name and follow the steps in the related procedure - Editing Audit Log and
Transaction Reports below.
3. Edit the report criteria.
4. Click to save your changes.
Now you can generate or preview the report with your changes.
Editing Audit Log and Transaction Reports

The Audit Log and Transaction Reports are edited differently from other reports. There is no edit function
directly available from the Reports list.
Follow the steps below to edit these reports.
1. Display the Reports list.

l To display the system reports page, click Reports.
l To display the custom reports page, select Reports > Custom Reports.
2. Click on the name of the report
3. Click in the bottom left-hand corner on the following page (either the Grid: Transaction Report or
Grid: Audit Log page).
The Find section opens.
4. Do the following to define criteria for the report:
l Select an option in the search type field (e.g. External System ID).
l Select an option in the search operator field (e.g. greater or equal to).
l Select an option in the search value field (e.g 12/07/2015 00:00:00).
Editing Audit Log and Transaction Reports 138

The Full Name search type field available for the Transaction Report returns results for a limited
number of combinations of search operator and search value entries. For example, using an identity
with the name John Smith, the following searches will succeed:
Search Operator Search Value
contains Smith, John
John
Smith
equal Smith, John
begins with Smith
ends with John
5. Click to add more search fields, if required.

Complete step 4 above for each additional field added.
6. Click Save to save your changes.

The ACM Notification message displays with the message 'Search Parameters successfully changed'.
7. To save these filter settings as a custom report, enter a name in the Create Custom Report: field , then
click Create Custom Report:.
8. To reset the search criteria, click Reset
Now you can generate or preview the report with your changes.
Creating Custom Reports

A custom report is a system report that has been duplicated and edited to meet your requirements. You can
create a custom report that are used frequently.
1. Select Reports > Reports.
2. Click for the report you want to base the custom report on.
3. On the Report Edit page, select the Copy Report checkbox.
4. Give the new report a name.
5. Edit the report options to meet your requirements.
6. Click to save the new custom report.
See Scheduling a Custom Report By Batch Job (Specification) on the next page.
Creating Custom Reports 139

Scheduling a Custom Report By Batch Job (Specification)
To schedule the creation of a custom report by batch job:
1. Select Reports > Custom Reports.

2. Click the Schedule link next to the report name.
3. Create the schedule:
a. In the Job Specification window with the report information, enter:
Name The name of the schedule.
Output Format pdf (default) or csv.
b. Click Next.
The current values of the report cannot be edited here. If you need to edit, go to the Custom
Reports tab and click Edit.
c. Enter the schedule:
Repeat Once, Hourly, Daily, Weekly or Monthly.
(The page refreshes depending on your selection.)
For Weekly: Any of the Sun, Mon, Tue, Wed, Thu, Fri, Sat checkboxes.
For Monthly: The date.
On The time in 24-hour clock format in HH (hour, such as 20) and MM
(minute, such as 00).
For Once: Click the field to select the date from the calendar. Then
adjust the hour, minute and second selectors to set the time.
d. Click Next.
e. Optional. Enter a checkmark in Send Email and the email address.
If an email is not specified, go to the Batch Jobs tab to retrieve the report on the appliance
(after the job specification completes).
a. Click Submit. The schedule is created.
4. Create the batch job to run the custom report on schedule:
a. Select > My Account.

b. Click the Job Specification tab.
c. Select the schedule and click Activate/Deactivate.
The Activated on date is displayed in the right-most column.
5. To view the reports generated by the batch job, click the Batch Jobs tab. The reports stay in the list
until manually deleted.
To remove a report, select the row and click .
Scheduling a Custom Report By Batch Job (Specification) 140

Creating Custom Audit Log and Transaction Reports
A custom audit log report lists all the selected recorded system logs. You can create a custom audit log
report to report only a selection of required audit logs. A custom transaction report lists all the selected
recorded system transactions. You can create a custom transaction report to report only a selection of
required system transactions.
1. Click Reports.
2. Click Transaction Report in the Report Name column.
3. Click at the bottom of the page. The preview bar expands to display search criteria.
4. Enter the details you want to include in the report in the Find section. (Click to add more fields.)
5. Click Search.
The system transactions are filtered into a report.
6. In the Create Custom Report field, enter a name for the report.
7. Click Create Custom Report to save the new report.
Creating Custom Audit Log and Transaction Reports 141

Physical Access
The Physical Access pages allow you to access all connected panels, doors, inputs, outputs and associated
security devices. These devices can be added, modified, and deleted. The status of the hardware can also be
monitored from these pages.
Panels are controllers that connect one or more door controllers (subpanels) and their associated readers to
the appliance. Doors are logical units incorporating one or more components that are connected to a panel.
The configuration of a door allows users to access certain areas.
Inputs are devices associated to panels and doors. For example, motion sensors or smoke detectors. Outputs
are devices that perform tasks in response to input data. For example, unlocking a door or setting off a fire
alarm.
Templates Overview
For ASSA ABLOY, Avigilon and Mercury Security doors.
You can speed up the process of defining panels, subpanels and doors in the ACM system by creating
templates for bulk creation. For example, door templates create doors that automatically populate field
values on the Parameters and Operations tabs.
l Door templates
Standardize door configurations that set the basic parameters and operational settings for each type
of door at your site. Door templates are used when adding individual doors, modifying or updating
common door settings for groups of doors, or when batch creating subpanels for doors when adding a
new Mercury panel.
Note: Only door templates are applicable to ASSA ABLOY doors.
Tip: Although you can create multiple door templates with the same name, it is recommended
that you give each the indoor template a unique name.
l Reader templates
Standardize reader settings. Reader templates are referenced from a wiring template when batch
creating subpanels for doors on a new panel.
Physical Access 142

l Output templates
Standardize output settings. Output templates are referenced from a wiring template when batch
creating subpanels for doors on a new panel, or used when batch creating output or input/output
subpanels.
l Input templates
Standardize input settings. Input templates are referenced from a wiring template when batch creating
input subpanels for doors on a new panel, or used when batch creating output or input/output
subpanels.
l Wiring templates
Standardize Mercury subpanels with wiring templates that link subpanel addresses to door, reader,
input, and output templates. Wiring templates are used to batch add the connections to functioning
subpanels and doors wired to a new Mercury panel when the panel is added to the ACM appliance.
Door Templates
A door template contains a predefined set of common parameter values and operational settings that can be
applied to doors. Use a door template to populate the values assigned in the template to doors:
l When adding a new Mercury panel to the ACM system, new doors can be created in bulk by batch
creating the subpanels on the new panel. Door templates are used together with wiring templates to
create access-controlled doors with preset configurations ready for use after the new panel and
subpanels are fully connected and communicating with the ACM system. To bulk create doors using a
wiring template when adding a new panel, see Batch Creating Subpanels on a New Mercury Panel on
page 171.
l When adding a new door, you still need to configure many attributes such as operations, hardware,
cameras, and interlocks specifically for individual doors. To create a door using a template, see
Adding Doors on page 225.
l When standardizing settings or updating settings supported by a door template for a group of doors.
o When you have many doors defined with non-standard settings, create a group containing
these doors and a new door template containing the standard settings. Then apply the new
template to the group of doors.
o When you have to change a setting common to all doors that use the same template, modify
the door template. Then apply the modified template to the group of doors.
You can apply a template to a group of doors:
o Immediately from the Templates page, using the Batch Update option.
o Alternatively, at any time after the template is created or modified, from the Groups using the
Batch Update option.
o At a future time, or on a schedule, from the Batch Jobs Specifications page.
Note: When you use the Batch Update option and there are more than 10 doors in the group,
a batch job is launched, which runs in the background.
To create a new template, see Door Templates - Add page on page 145.
Door Templates 143

When you select Physical Access > Templates, the Door Templates tab is selected, and the Door
Templates list page is displayed. This page lists all door templates that have been defined in the system.
Door Templates - Batch Update

The Batch Update feature on the Templates page allows you to assign a door template to a group of doors
from the same manufacturer. This is useful for applying new settings or modifying current settings to a group
of doors.
browser.
1. Select Physical Access > Templates.

The Templates panel opens with the Door Template tab selected and the Door Templates list
displayed.
2. On the Door Templates list, click from the Batch Update column beside the template you want
to apply to a group.
The Batch Update dialog box appears.
3. From the Group drop down list, select a group of doors.
Only the groups that have been previously defined appear in this list.
4. Click OK.
All members of the specified group are updated with this template's settings.
If there are more than 10 doors, the update will be automatically scheduled as a batch job that starts two
minutes after you select the group and click OK. This can be checked at > My Account > Batch Jobs.
Door Templates list page

When you select Physical Access > Templates, the Door Templates tab is selected, and the Door
Templates list page is displayed. This page lists all door templates that have been defined in the system.
Feature Description
Name The name of the door template.
Click the name to edit the door template details.

Feature Description
Batch Update
Click to apply the template to all doors in a group. For more information,
see Door Templates - Batch Update on page 149.
Delete Click to delete the door template.
Click to add a new door template.
Door Templates - Add page
When you click:

l Add Template on the Door Templates list, the Templates: Add page appears. Enter the required door
template details.
l On the name of a door template on the Door Templates list, the Templates: Edit page appears. All of
the configurable items for a door that can be set using a door template appear in the Parameters and
Operations tabs after you specify the vendor.
Important: To bulk add door subpanels when adding a new Mercury panel, you must use a door
template that has a value specified for Door Mode. Before using the Subpanel: Batch Create wizard,
ensure that a door template for the door subpanel type has been configured. Door templates without
a Door Mode specified are not available for the wizard to use.
Note: You can add additional values to some drop down lists using the User Lists feature. For more
information, see Adding Items to a List on page 409.
Name the template and specify the site and vendor information.
Feature
Name You can change the name of the template. The name should be unique.
Partitions Displayed for a partitioned ACM appliance only. To restrict operator access to the item,
select one or more partitions. To allow all operators access to the item, do not select a
partition.
The selection you make for the door template sets in which partitions doors are created.
Vendor The name of the door manufacturer. After you select the name, the page is refreshed to
show the Parameters tab.
Model Select Generic for any vendor to display all the configurable items for that vendor's
door controllers in the Parameters and Operations tabs. If you select Mercury as the
Vendor, you can select the panel model. After you select the model, the page refreshes
again to show only the configurable items for that model.

Feature
After you select the vendor and model, update the individual items for the template to apply on the two
panels on the Parameters tab:
l On the Parameters panel, for each item except Partitions, you can select from three or more choices,
which vary from item to item:
o <No Change>: Do not change the value. If the door is new, the item is left blank, or set to its
default value. If there is already a value, it is unchanged.
o <BLANK>: Clear the value. If the door is new, the item is left blank. If there is already a value, it is
cleared. This choice only appears if no value is required.
o All other choices are specific to that item.
o The Partition item appears only if partitions are defined at your site.
l On the Door Processing Attributes tab, the choices are:
o <No Change>
o <Yes>
o <No>
For detailed information about each item on the Parameters tab, see:
l Parameters tab (Mercury Security) on page 252
l Parameters tab (VertX® ) on page 239
Next, update the individual items for the template to apply on the Operations tab:
l For the items with drop-down lists, except Card Formats, you can select from three or more choices,
o For all the other items, enter a value in seconds, or leave blank to use the default value.
l For Card Formats, if you select:
o <No Change>: Do not change the value. If the door is new, the list of card formats for the door
will be populated by the card formats supported by the panel associated with the door.
o <BLANK>: Clear the value. If the door is new, the list is left empty. If there is already a value, it is
cleared.
o Assign: Replace any card formats supported by the door with the card formats specified in the
template.
o Add: Append the card formats specified in the template to the card formats already supported
by the door.
o Remove: Remove the card formats specified in the template from the list of card formats
supported by the door.

After you make your choice of Assign, Add, or Remove, a list of all the configured card formats is
displayed. Click to select one card format, or use any of click and drag, Shift and click, or Ctrl and click
to select multiple card formats and move them to the Members list.
For detailed information about each item on the Operations tab, see:
l Operations tab (Mercury Security) on page 256
l Operations tab (VertX®) on page 242
Door Templates - Door Template: Edit page
When you click on the name of a door template on the Door Templates list, the Door Template: Edit page
appears. All of the configurable items for a door that can be set using a door template appear in the
Parameters and Operations tabs after you specify the vendor.
Note: You can add additional values to some drop down lists using the User Lists feature. For more
information, see Adding Items to a List on page 409.
Name the template and specify the site and vendor information.
Feature
Name Enter the name of the template. This field is required. The name should be unique.
select a partition.
The selection you make for the door template determines in which partitions doors
are created.
Vendor The name of the door manufacturer. After you select the name, the page is refreshed
to show the Parameters tab.
Model Select Generic for any vendor to display all the configurable items for that vendor's
door controllers in the Parameters and Operations tabs. If you select Mercury as the
Vendor, you can select the panel model. After you select the model, the page
refreshes again to show only the configurable items for that model.
After you select the vendor and model, update the individual items for the template to apply on the two
panels on the Parameters tab:

l On the Parameters panel, for each item except Partitions, you can select from three or more choices,
o All other choices are specific to that item.
o The Partition item appears only if partitions are defined at your site.
l On the Door Processing Attributes tab, the choices are:
o <No Change>
o <Yes>
o <No>
For detailed information about each item on the Parameters tab, see:
l Parameters tab (Mercury Security) on page 252
l Parameters tab (VertX® ) on page 239
Next, update the individual items for the template to apply on the Operations tab:
l For the items with drop-down lists, except Card Formats, you can select from three or more choices,
o For all the other items, enter a value in seconds, or leave blank to use the default value.
l For Card Formats, select <No Change>, <BLANK>, or specify the format to apply after choosing one of
the following:
o Assign: Replace any card formats supported by the door with the card formats specified in the
template.
o Add: Append the card formats specified in the template to the card formats already supported
by the door.
o Remove: Remove the card formats specified in the template from the list of card formats
supported by the door.
After you make your choice of Assign, Add, or Remove, a list of all the configured card formats is
displayed. Click to select one card format, or use any of click and drag, Shift and click, or Ctrl and click
to select multiple card formats and move them to the Members list.
For detailed information about each item on the Operations tab, see:
l Operations tab (Mercury Security) on page 256
l Operations tab (VertX®) on page 242

Door Templates - Batch Update
The Batch Update feature on the Templates page allows you to assign a door template to a group of doors
from the same manufacturer. This is useful for applying new settings or modifying current settings to a group
of doors.
browser.
1. Select Physical Access > Templates.

The Templates panel opens with the Door Template tab selected and the Door Templates list
displayed.
2. On the Door Templates list, click from the Batch Update column beside the template you want
to apply to a group.
The Batch Update dialog box appears.
3. From the Group drop down list, select a group of doors.
Only the groups that have been previously defined appear in this list.
4. Click OK.
All members of the specified group are updated with this template's settings.
If there are more than 10 doors, the update will be automatically scheduled as a batch job that starts two
minutes after you select the group and click OK. This can be checked at > My Account > Batch Jobs.
Reader Templates
Use standardized reader settings and corresponding reader templates together with wiring templates to
configure Mercury subpanels when adding panels in the ACM appliance. Standardize your reader
configurations and create a reader template for each standard configuration in use at your site.
Note: Ensure all OSDP readers are configured in ACM software before physically connecting them.
OSDP is recommended for communications between readers, controllers and subpanels. OSDP offers
support for bi-directional communication, Secure Channel Protocol (SCP) to encrypt the traffic, and provides

additional status values for readers, improved LED controls, and simpler wiring.
Do not mix and match OSDP and non-OSDP readers on the same serial input/output (SIO) module. If OSDP is
being used, set all all reader addresses (including unused ones) to OSDP to avoid accidental re-
programming.
OSDP allows twice as many readers on most SIO modules. This allows a single controller port to control two
OSDP readers, however the second reader only functions if both readers on the port use OSDP and the
second reader is used on a paired door, or as the alternate reader for a single door. The second reader on an
OSDP port cannot be used to create a second single door.
To access reader templates, select Physical Access > Templates and then click the Reader Templates tab.
The Reader Templates list page is displayed. This page lists all reader templates that have been defined in
the system.
Tip: After you have configured new doors using templates, you must access each door, panel, or
subpanel to configure the unique settings that are not configured by each template.
Reader Templates list page

When you select Physical Access > Templates and click the Reader Templates tab, the Reader Templates
list page is displayed. This page lists all reader templates that have been defined in the system.
Ensure all OSDP readers are configured in ACM software before physically connecting them.
Feature Description
Name The name of the reader template.
Click the name to edit the reader template details.

Delete Click to delete the reader template.
Click to add a new reader template.
Reader Template: Add page

When you click on the Reader Templates list page, the Reader Template: Add page appears. Enter the
required reader template details.
Note: Ensure all OSDP readers are configured in ACM software before physically connecting them.
Feature Description
Name Enter a unique name for the template.
Vendor Choose Mercury Security or HID.
Mercury Security settings
Reader Templates list page 150

Feature Description
Reader Type Select the communication protocol used by readers configured with this template. The
options include:
l OSDP
Important: A reader template for an OSDP reader defines the baud rate

and the OSDP address to use. On a paired door using OSDP readers, you
need four OSDP reader templates: one for each OSDP address.
OSDP is recommended for readers, controllers and subpanels communications.

OSDP offers support for bi-directional communication, Secure Channel Protocol
(SCP) to encrypt the traffic, and provides additional status values for readers,
improved LED controls, and simpler wiring.
l F/2F
l D1/D0 (Wiegand )
l CLK+Data (Mag) ( NCI magnetic stripe standard)
l Custom (Default)
Note: The Custom option enables all options for all reader types. Readers
configured with versions of the ACM software earlier than Release 5.10.4
are assigned this reader type when the software is upgraded to ensure
that the previous settings are retained.
The following options depend on the selected Reader Type and include:
LED Drive Select the LED drive mode for readers configured with this template. The options depend
on the reader model and how it is wired and include:
l None
l Gen 1 wire
l Reserved
l Sep Red/Grn no buzz
l Dorado 780
l LCD
l OSDP
Format by Check this box to indicate that readers configured with this template support the format by
nibble nibble.
Bidirectional Check this box to indicate that readers configured with this template can read
bidirectionally.
F/2F Decoding Check this box to indicate that readers configured with this template use F or 2F decoding.

Feature Description
Inputs on Check this box to indicate that readers configured with this template provide one or more
reader input ports for serial input arrays.
Keypad decode Select the keypad decode/encryption method that is used by readers configured with this
template. The options include:
l MR20 8-bit tamper
l Hughes ID 4-bit
l Indala
l MR20 8-bit no tamper
Wiegand Check this box to indicate that readers configured with this template support the Wiegand
standard.
Trim Zero Bit Check this box to indicate that readers configured with this template support the trim zero
bit standard.
NCI magstripe Check this box to indicate that readers configured with this template supports the NCI
standard for magnetic stripes.
Supervised Check this box to indicate that readers configured with this template are supervised
(outfitted with detection devices)
Secure Check this box to enable secure OSDP communication between the reader and the
Channel controller. The reader must support SCP and must be in installation mode. The reader will
Protocol
remain offline if a secure connection cannot be established.
CAUTION — Do not enable SCP on readers that support OSDPv1, such as the ViRDI
biometric reader, as this will make the reader inoperable. Secure channel is only
supported in by OSDPv2.
Baud Rate Set the OSDP baud rate. This must be the same for all readers on a single port. Valid
values are 9600 (default), 19200, 38000 or 115200. If blank is selected, the system will
use default settings.
Note: Mercury controllers may auto-detect the OSDP baud rate. For more
information, refer to Mercury documentation.
See Appendix: pivCLASS Configuration on page 529.

OSDP Address Set the OSDP address. This must be different for each reader on a single port. Valid values
are 0 (reader 1 default), 1 (reader 2 default), 2, and 3. If blank is selected, the system will
Note: Mercury controllers will first try the setting provided and if that does not
work, the controller will use default settings.

Feature Description
OSDP Tracing Displayed for OSDP readers only. If the box is checked, OSDP address tracing will be
logged in the mercury.txt appliance log for troubleshooting.
partition.
VertX® settings
l MR20 8-bit tamper
l Hughes ID 4-bit
l Indala
standard.
partition.
Reader Template: Edit page

When you click on the name of a template on the Reader Templates list page, the Reader Template: Edit
page appears. Modify the required reader template details.
Feature Description
Vendor Choose Mercury Security or HID.

Feature Description
Reader Type Select the communication protocol used by readers configured with this template. The
options include:
l OSDP
Important: A reader template for an OSDP reader defines the baud rate

and the OSDP address to use. On a paired door using OSDP readers, you
need four OSDP reader templates: one for each OSDP address.

l F/2F
l D1/D0 (Wiegand )
l Custom (Default)
Note: The Custom option enables all options for all reader types. Readers
configured with versions of the ACM software earlier than Release 5.10.4
are assigned this reader type when the software is upgraded to ensure
that the previous settings are retained.
LED Drive Select the LED drive mode for readers configured with this template. The options depend
on the reader model and how it is wired and include:
l None
l Gen 1 wire
l Reserved
l Dorado 780
l LCD
l OSDP
Format by Check this box to indicate that readers configured with this template support the format by
nibble nibble.
Bidirectional Check this box to indicate that readers configured with this template can read
bidirectionally.
F/2F Decoding Check this box to indicate that readers configured with this template use F or 2F decoding.

Feature Description
Inputs on Check this box to indicate that readers configured with this template provide one or more
reader input ports for serial input arrays.
l MR20 8-bit tamper
l Hughes ID 4-bit
l Indala
standard.
Trim Zero Bit Check this box to indicate that readers configured with this template support the trim zero
bit standard.
Supervised Check this box to indicate that readers configured with this template are supervised
(outfitted with detection devices)
Protocol


Feature Description
partition.
VertX® settings
l MR20 8-bit tamper
l Hughes ID 4-bit
l Indala
standard.
partition.
Input Templates
Use standardized input settings and corresponding input templates together with wiring templates to
configure Mercury subpanels when adding panels in the ACM appliance. Standardize your input
configurations and create an input template for each standard configuration in use at your site.
To access input templates, select Physical Access > Templates and then click the Input Templates tab. The
Input Templates list page is displayed. This page lists all input templates that have been defined in the
system.
Note: Input templates for VertX® are not used by the ACM system. Input templates are only used
when configuring Mercury subpanels.
Input Templates 156

Input Templates list page

When you select Physical Access > Templates and click the Input Templates tab, the Input Templates list
page is displayed. This page lists all input templates that have been defined in the system.
Feature Description
Name The name of the input template.
Click the name to edit the input template details.

Delete Click to delete the input template.
Click to add a new input template.
Input Template: Add page

When you click on the Input Templates list page, the Input Template: Add page appears. Enter the
required input template details.
Feature Description
Name The name of the template.
Installed Check to indicate that input points configured with this template are connected and active.
Vendor The only supported option is Mercury Security.
Input Templates list page 157

Feature Description
Mode Select the mode used for arming and disarming the input to trigger alarm events. Each mode
modifies the effect of the Exit Delay and Entry Delay settings.
l Normal – Does not use the Exit Delay and Entry Delay settings. Point is armed when the
area is armed. Triggering the armed point will instantly trigger the alarm.
l Non-latching – Uses the Exit Delay and Entry Delay settings. When the area is armed,
the point is armed after the time specified by the Exit Delay setting. This allows you time
to exit the area without triggering an alarm. After the point is armed, triggering the
armed point occurs after the time specified by the Entry Delay setting. This allows you
time to disarm the area or restore the point (for example, by closing the door). This mode
can be used in a scenario such as an armed fire door if you want people to exit but do
not want the door propped open. The entry delay allows time for the door to be closed
before triggering the alarm.
l Latching – Uses the Exit Delay and Entry Delay settings. When the area is armed, the
point is armed after the time specified by the Exit Delay setting. This allows you time to
exit the area without triggering an alarm. After the point is armed, triggering the armed
point occurs after the time specified by the Entry Delay setting. This allows you time to
disarm the area.
EOL Select the End of Line resistance value used by inputs configured with this template.
resistance
Only the EOL resistance values that have been defined in the system are listed.
Debounce1 Select how often the unit is allowed to debounce in a row. 1 = 16 ms, 2 = 32 ms, etc.
Entry The Entry Delay setting specifies the amount of time after you enter an alarmed area that you
Delay have to disarm the alarm system before an alarm is triggered.
Enter the number of seconds allowed before the input reports an event.
Exit Delay The Exit Delay setting specifies the amount of time after the alarm system is armed that you
have to leave the area without triggering an alarm.
Hold time Set the amount of time that the alarm will stay in alarm state after returning to normal.
For example, if the input point goes into alarm state, then restores, it will hold it in that state for 1
to 15 seconds after it returns to normal state before reporting the input point is in the normal
state.
Masked Check this box to indicate that this input is normally masked.
1Due to mechanical properties of a switch, when a switch is closed, there is a period of time in which the
electrical connection "bounces" between open and closed. To a microcontroller, this "bouncing" can be
interpreted as multiple button pushes. To suppress the "bouncing", the controller software is designed to
anticipate it. This is known as "debouncing a switch".
Input Template: Add page 158

Feature Description
Show Click this button to display the policies associated with this input module.
Policy
Input Template: Edit page

When you click on the name of a template on the Input Templates list page, the Input Template: Edit page
appears. Modify the required reader template details.
Feature Description
Mode Select the mode used for arming and disarming the input to trigger alarm events. Each mode
modifies the effect of the Exit Delay and Entry Delay settings.
l Normal – Does not use the Exit Delay and Entry Delay settings. Point is armed when the
area is armed. Triggering the armed point will instantly trigger the alarm.
l Non-latching – Uses the Exit Delay and Entry Delay settings. When the area is armed,
the point is armed after the time specified by the Exit Delay setting. This allows you time
to exit the area without triggering an alarm. After the point is armed, triggering the
armed point occurs after the time specified by the Entry Delay setting. This allows you
time to disarm the area or restore the point (for example, by closing the door). This mode
can be used in a scenario such as an armed fire door if you want people to exit but do
not want the door propped open. The entry delay allows time for the door to be closed
before triggering the alarm.
l Latching – Uses the Exit Delay and Entry Delay settings. When the area is armed, the
point is armed after the time specified by the Exit Delay setting. This allows you time to
exit the area without triggering an alarm. After the point is armed, triggering the armed
point occurs after the time specified by the Entry Delay setting. This allows you time to
disarm the area.
EOL Select the End of Line resistance value used by inputs configured with this template.
resistance
Only the EOL resistance values that have been defined in the system are listed.
Input Template: Edit page 159

Feature Description
Debounce1 Select how often the unit is allowed to debounce in a row. 1 = 16 ms, 2 = 32 ms, etc.
Entry The Entry Delay setting specifies the amount of time after you enter an alarmed area that you
Delay have to disarm the alarm system before an alarm is triggered.
Exit Delay The Exit Delay setting specifies the amount of time after the alarm system is armed that you
have to leave the area without triggering an alarm.
Hold time Set the amount of time that the alarm will stay in alarm state after returning to normal.
For example, if the input point goes into alarm state, then restores, it will hold it in that state for 1
to 15 seconds after it returns to normal state before reporting the input point is in the normal
state.
Masked Check this box to indicate that this input is normally masked.
Policy
Output Templates
Use standardized input settings and corresponding output templates to use together with wiring templates to
configure Mercury subpanels when adding panels in the ACM appliance. Standardize your output
configurations and create an output template for each standard configuration in use at your site.
To access output templates, select Physical Access > Templates and then click the Output Templates tab.
The Output Templates list page is displayed. This page lists all output templates that have been defined in
the system.
Note: Output templates for VertX® are not used by the ACM system. Output templates are only used
Output Templates 160

Output Templates list page

When you select Physical Access > Templates and click the Output Templates tab, the Output Templates
list page is displayed. This page lists all Output templates that have been defined in the system.
Feature Description
Name The name of the output template.
Click the name to edit the output template details.

Delete Click to delete the output template.
Click to add a new output template.
Output Template: Add page

When you click on the Output Templates list page, the Output Template: Add page appears. Enter the
required output template details.
Feature Description
Operating Select how the panel knows when the output point is active.
Mode
l Energized When Active – a current is expected to pass through the output point when it
is active.
l Not Energized When Active – a current expected to pass through the output point
when it is inactive.
Pulse Time Enter the pulse interval time. This is the number of seconds that the output will activate when a
pulse command is issued.
Note: This field is only available on outputs not associated with doors (e.g. auxiliary
relays).
Output Templates list page 161

Feature Description
Schedule Select a schedule from the drop down list. Only schedules that have been defined in the
system are listed.
Output Template: Edit page

When you click on the name of a template in on the Output Templates list page, the Output Template: Edit
page appears. Modify the required reader template details.
Feature Description
Mode
is active.
Pulse Time Enter the pulse interval time. This is the number of seconds that the output will activate when a
pulse command is issued.
Note: This field is only available on outputs not associated with doors (e.g. auxiliary
relays).
system are listed.
Output Template: Edit page 162

Wiring Templates
Use standardized wiring setups for your subpanels and corresponding wiring templates to speed up
configuration of Mercury subpanels when adding managed doors to the ACM appliance. A wiring template
corresponds to a standard wiring setup for the doors connected to a specific Mercury subpanel model.
A wiring template takes information from the door, input, output, and reader templates that you specify and
validates all the information so that the template can be used to batch create subpanels configured with
functional doors and readers.
Wiring templates use the Access Type options Single and Paired to support easier configuration of doors.
Use Single for a door with one reader on one side of the door only (single reader door). Use Paired for a door
with two readers, one on each side of the door (paired reader door). Paired readers allow each side of a
single physical door to act like a separate door. This is particularly useful for antipassback and mustering.
The Access Type can also be configured in the Door Template. When configured in both the Wiring
Template, and the associated Door Template, the setting in the Wiring Template takes precedence.
A preconfigured wiring template for each of the following subpanels is provided:

l MR50
l MR51e
l MR52
l MR62e
l 1501 Internal SIO
l 1502 Internal SIO
You can modify the preconfigured wiring templates and create new wiring templates for each type of
subpanel in use at your site. If you use different wiring setups for the same type of subpanel, create a wiring
template for each setup.
Important: Before you configure the wiring template for a subpanel, you should have already
configured the reader templates, input templates, and output templates needed for that subpanel. A
wiring template contains mappings for the subpanel input, output, and reader addresses that
correspond to the wiring set up of the subpanel for the readers, door position, strike, and request to
exit (REX) buttons, and sets the associated template for each mapping. The number of doors and
available reader, input, and output addresses for mapping is fixed for each subpanel model.
To access wiring templates, select Physical Access > Templates and then click the Wiring Templates tab.
The Wiring Templates list page is displayed. This page lists all wiring templates that have been defined in the
system.
Wiring Templates list page

When you select Physical Access > Templates and click the Wiring Templates tab, the Wiring Templates list
page is displayed. This page lists all wiring templates that have been defined in the system.
Wiring Templates 163

Feature Description
Name The name of the wiring template.
Click the name to edit the wiring template details.

Delete Click to delete the wiring template.
Click to add a new wiring template.
Wiring Template: Add page

When you click on the Wiring Templates list page, the Wiring Template: Add page appears. Enter the
wiring template details.
You can check if the settings you make on this page are valid at any time by clicking Validate at the bottom of
the page. If there is an error on the page, an error message identifies the problem for you to correct.
Feature Description
Vendor The only option is Mercury Security.

Feature Description
Model Select from the drop-down list:
Subpanels for Doors and Readers
Model Number of Doors Number of Readers
MR50 1 2
MR52 2 4
1502 Internal SIO 2 4
MR51e 2 4
MR62e 2 4
M5-2RP 2 2
M5-2SRP 2 2
M5-8RP 8 8
MS-2K 4 4
MS-ACS 8 8
or
Subpanels for Inputs or Outputs (I/O)
Model
MR161N
MR16OUT
M5-20IN
M5-16DO
M5-16DOR
M8-I8S
M8-R8S
For each door:

Feature Description
Door Select an Access Type from the drop-down list:
l Single: A door connected to a single reader using any supported
connection protocol on a single port.
l Paired: A door connected to two readers on the same port. A
second pair of template settings is displayed.
For the single door or both paired doors select:

l Door Template
l Reader: Address and Reader Template
l Alt Reader: Address and Reader Template
Important: When using OSDP readers, you need four

OSDP reader templates for a paired door: one for each
OSDP address.
Specify the I/O templates for the doors created with this template:
Door Position Address: Input Template
Strike: Output Template
REX 1: Input Template
REX 2: Input Template
For Other I/O

Select an Input Template to use for all inputs not associated with doors.
Select an Output Template to use for all outputs not associated with
doors.
Save Click to save the template and return to the Wiring Templates list page.
Cancel Changes Click to return to the Wiring Templates list page without saving.
Add Wiring Template Click to add a new wiring template.
Wiring Template: Edit page

When you click on the name of a template on the Wiring Templates list page, the Wiring Template: Edit page
is displayed. Use this page to modify the wiring template.
You can check if the settings you make on this page are valid at any time by clicking Validate at the bottom of
the page. If there is an error on the page, an error message identifies the problem for you to correct.
For details about the fields on this page, see Wiring Template: Add page on page 164
Wiring Template: Edit page 166

Configuring Panels
Panels are controllers that connect one or more door controllers (subpanels) and their associated readers to
the ACM appliance. Through an Ethernet cable or encrypted wireless connection, panels send information
about the state of the doors back to the appliance. Panels are added one at a time.
When a new Mercury panel is created you can use the Subpanel: Batch Create wizard to add subpanels to
the panel. The wizard adds connection information for the subpanels and doors that are wired to the panel so
that the ACM appliance can start managing door access. You must configure door templates, input
templates, output templates, reader templates, and wiring templates before you can use the wizard.
Together, these templates can provide enough information to ensure basic functioning of doors as soon as
the new panel and subpanels are fully connected and communicating with the ACM system. For more
information, see Templates Overview on page 142.
Tip: To add a gateway to manage Schlage IP wireless locks, see Step 2: Configuring Gateways for IP
Wireless Locks on page 283. To add a SALTO server and panel to manage SALTO doors, see Step 1:
Connecting to a SALTO Server on page 302. To add a Door Server Router (DSR) panel to manage
ASSA ABLOY IP-enabled locks, see Step 1: Configuring a Door Service Router for IP Locks on
page 313.
Searching for Panels

Many facilities require the control and monitoring of dozens, even hundreds, of panels simultaneously. This
can result in a crowded listing page. You can search for specific panels to narrow the list of panels appearing
on the Panels list page.

the panels you want to see.
l If known, select the Appliance the panel is connected to.
l If known, select the Group the panel is included in.
2. Click OK.
Panel Migration
Migrate panel models without reprogramming their settings and reduce system downtime.
Mercury Security EP to LP Panel

CAUTION — Upgrading from an EP to LP panel model is irreversible. Perform this configuration only if
needed. Before migrating a model 'with downstream' to a model 'without downstream,' ensure all
wired subpanels are removed.
To upgrade an EP panel to an LP panel:
Configuring Panels 167

1. On the Configure tab of the EP panel:
a. Select the applicable LP model in Model.
For EP1501 and LP1501 models, converting between 'with downstream' and 'without
downstream' options is supported.
b. Click .
2. Reset the panel after changing the panel model.
For more information, see Resetting Doors Connected to a Subpanel on page 178.
Adding Panels
Panels connect door controllers and their readers to the ACM appliance. Adding a panel to the ACM system
allows the appliance to gather information on the connected doors.
Tip: To add a gateway to manage Schlage IP wireless locks, see Step 2: Configuring Gateways for IP
Wireless Locks on page 283. To add a SALTO server and panel to manage SALTO doors, see Step 1:
Connecting to a SALTO Server on page 302. To add a Door Server Router (DSR) panel to manage
ASSA ABLOY IP-enabled locks, see Step 1: Configuring a Door Service Router for IP Locks on
page 313.
To add a panel to the system:
1. Select Physical Access>Panels.

2. Click Add Panel.
3. Enter:
Name A unique name for the panel. Choose a name that will help you identify the devices it
controls. Duplicate names are not allowed.
Physical A description of where the device is installed.

Location
select a partition.
Appliance The ACM appliance that is connected to the panel.
Vendor The vendor of the panel or gateway.
If HID is selected, enter:

Model: The V1000 or V2000 model of the panel.
Timezone: The local time which the panel operates in for door schedules and other
time-based configuration.
Adding Panels 168

If Mercury Security is selected, enter:
Model: The model of the Mercury panel.
Tip: Lenel panels can be configured as Mercury panels. For more

information, see Lenel Panel Support on page 178.
Enable Large Encoded Card Format: For all types of Mercury controllers other than
the LP4502 model with the pivCLASS with external PAM. See Appendix: pivCLASS
Configuration on page 529.
Embedded Auth: For LP4502 model only. See Appendix: pivCLASS Configuration
on page 529.
Timezone: The local time which the panel operates in for door schedules and other
time-based configuration.
Wiring Type: For SCP models only. The type of port the panel uses to connect to door
or subpanels.
For SCP-2 and SCP-E models, enter:
l (4) 2-Wire Ports
l (2) 4-Wire Ports
l (1) 4-Wire/(2) 2-Wire
For SCP-C model, enter:
l (2) 2-Wire Ports
l (1) 4-Wire Port
Total Memory: For SCP-2 and SCP-E models only. The total memory the panel
contains.
Max Elevator Floors: For SCP models only. The number of floors the panel oversees.
Up to 128 floors can be specified. For more information on defining elevator door
access, see Managing Elevator Access on page 132.
Allocate space :
Credentials: The number of credentials that can be stored in the panel. The number
is dependent on the memory, vendor and model of the panel.
Events: The number of transactions to buffer in the panel. The number is dependent
on the memory, vendor and model of the panel.
Version: The current version of the database.
If Schlage is selected, enter:

Site : The name of the site that the gateway is commissioned to.
Model: ENGAGE Gateway - IP
Installed If selected, the panel is installed and ready to communicate with the ACM appliance.
Adding Panels 169

Click to discard your changes.
After you add a new panel for:

l HID V1000 model, see Subpanel: Batch Add page (VertX®) on page 175
l HID V2000 model, see Subpanel Fields on page 174
l Any Mercury Security model, see Batch Creating Subpanels on a New Mercury Panel on the next
page. However, see Adding a Subpanel on page 181 if the panel is wired to an AD-300 or PIM400
model subpanel.
After you add a new gateway for:

l Schlage ENGAGE Gateway for Schlage RSI wireless locks, see Adding a Subpanel on page 181
l Schlage ENGAGE Gateway for Schlage IP wireless locks, see Step 3: Configuring IP Wireless Devices
on page 284
See also:
l Deleting Doors on page 212
Configuring the Mercury Security MS Bridge Solution

To use the Mercury Security MS Bridge controllers and subpanels, you must have at least the following
connected to the system:
l Mercury MS-ICS panel with downstream support.
l Mercury MS-ACS subpanel that is wired to the Mercury panel.
1. Add a Mercury MS-ICS panel to the ACM system.

For more information, see Adding Panels on page 168.
2. Use the Batch Create wizard to add all required subpanels (the maximum number of subpanels is 32)
to the new panel.
For more information, see Adding Mercury Security Panels on page 174.
Note: Add at least one MS-ACS (maximum two) as a subpanel.
Note: You can add any Mercury panels that use the same protocol.
3. After all subpanels have been added to the system, select the Subpanels tab and click in the Installed
column of the displayed table for each subpanel so that a displays.

4. Create the related doors. Ensure that for each door you select the corresponding Mercury panel and
subpanel.
For more information, see Adding Doors on page 225.
5. Customize the door settings to meet your system requirements and save your changes.
Configuring the Mercury Security MS Bridge Solution 170

Batch Creating Subpanels on a New Mercury Panel
Does not apply to:
l Schlage AD-300 and PIM-400 subpanels, Aperio and SmartIntego subpanels, and RSI ENGAGE
gateways
Mercury internal subpanels on the EP1501, LP1501, EP1502, LP1502 and LP4502 models do not have an
address that can be changed.
After you save a new Mercury panel, you are prompted to use the Subpanel: Batch Create wizard. The wizard
lets you create identically configured doors on many types of subpanels, as well as groups of doors
configured differently on the same type of subpanel, and to name all the doors all in a single session.
The wizard lets you quickly create many subpanels and doors at once. The optional wiring templates allow
you to give your subpanels standard configurations for inputs, outputs and doors. Doors will only be created
when they are defined in the selected wiring templates. These templates must be configured before the
wizard can use them to create functioning subpanels and doors. The more you standardize doors, readers,
outputs, inputs, and panel wiring, the fewer templates you need. Some sample templates are provided. For
more information, see Templates Overview on page 142.
The wizard is only available when you create a new Mercury panel. Its use is optional. You can cancel out of
the wizard and the panel is still saved. However, you will have to configure all of your subpanels and the
doors, readers, outputs, and inputs to each subpanel individually.
Important: To bulk add door subpanels when adding a new Mercury panel, you must use a door
template that has a value specified for Door Mode. Before using the Subpanel: Batch Create wizard,
ensure that a door template for the door subpanel type has been configured. Door templates without
a Door Mode specified are not available for the wizard to use.
In the wizard, entering subpanel information is a three-step procedure:
1. Batch Create: Add a row for each type of subpanel that uses the same wiring template. In each row,
identify the subpanel type, the base name shared by all subpanels, the number of subpanels, and the
wiring template to use. You can only add as many subpanels as the panel can support. You can only
select a wiring template that supports that subpanel type. You can use the wizard to create
unpopulated subpanels by not specifying a wiring template.
2. Batch Edit: A row is displayed for each subpanel to be created. All the values can be changed. If you
change the subpanel type, you also have to change the wiring template. You can also add more
subpanels, up to the maximum supported by the panel.
3. Batch Name Doors: Edit the default door names for any door to conform to your site's standard
method for identifying doors (such as room numbers or names).
or
Batch Create Summary: If no doors are configured for the subpanel, review the details.
Each step is completed on its own page. Checks are made as you enter data to ensure that you enter only
valid data for the panel and subpanels, and do not overpopulate the panel. The subpanels are created when
you click Save after completing the third step.
Batch Creating Subpanels on a New Mercury Panel 171

You can move between these three pages using Next and Previous buttons. If you press Previous, the
Going back will erase all progress from this page, are you sure? message is
displayed and you have to choose to proceed. You can click Cancel Changes in any step to exit the wizard
without creating any subpanels, although the panel has already been created.
Subpanel: Batch Create page
To add a subpanel: Click
To remove a subpanel: Click
Add a row for each differently configured subpanel connected to the new panel, up to the maximum
supported for that type of panel. Typically, this would be one row for each type of subpanel. In each row,
specify the type of subpanel, its base name, the number of subpanels to create, and the templates to use to
create them.
Note: An exception to this is the MS-ISC panel, which only supports two MS-ACS subpanels, with
addresses 0 and 2. You can add more than two MS-ACS subpanels to an MS-ISC panel on the first
page, but you must correct this on the Subpanel: Batch Edit Details page before you can proceed to
the Subpanel: Batch Name Doors.
Most controllers have a built-in subpanel. That subpanel will be automatically created as part of the batch add
process. You cannot delete it or change its type, name, quantity or address.
Column Description
Subpanel Type Select the subpanel model from the Select Model drop-down list. The selection is
determined by the panel model.
Subpanel Base Name The prefix used in the name of each subpanel. The default format is <panelName>-
<panelModel>. For example EastEntrance-LP2500. You can change this name.
Quantity Select the number of identically configured subpanels you want to add. The
number of available subpanels is updated as new rows are added.
Subpanel: Batch Create page 172

Column Description
Wiring Template Select the template from the Select Wiring Template drop-down list. The selection
is determined by the subpanel type.
Important for users of templates created in releases prior to ACM Release 6.0:
If you select a template that supports doors that has no doors associated with it,
the Selected template has no door profiles warning message is
displayed. This warning usually occurs for wiring templates created prior to ACM
Release 6.0 that have not been modified to associate them with doors. You can
choose to continue (and no doors will be created by the wizard) or edit the
template. To edit the template, click the Edit Template button that is now
displayed .
Click Next and the Subpanel: Batch Edit Details page is displayed.
Subpanel: Batch Edit Details page
To add a subpanel: Click
To remove a subpanel: Click
Edit the details for all of the subpanels you added for the new panel. You can also continue to add and
remove subpanels up to the maximum supported by the panel.
Column Description
Address The port address on the panel to which the subpanel is connected. If there
are addresses available, you can add and reorder the addresses. New
subpanels are always added to the first available address.
Note: The MS-ISC panel only supports two MS-ACS subpanels, with
addresses two 0 and 2. If you added more than two MS-
ACS subpanels to an MS-ISC panel on the first page, you must
correct this here before you can proceed to the Subpanel: Batch
Name Doors.
Subpanel Type You can change the subpanel type. After you make your selection, the row is
updated to prompt you for the information needed to create the subpanel.
Subpanel Name The name of each subpanel. The default name is the subpanel address
appended to the Subpanel Base Name: <panelName>-<panelModel>-
<subpanelAddress>. For example EastEntrance-LP2500-0. You can change
this name.
Wiring Template Select the template from the Select Wiring Template drop-down list. The
selection is determined by the subpanel type.
Click Next.
Subpanel: Batch Edit Details page 173

Subpanel: Batch Name Doors or Subpanel: Batch Create Summary page
If there are any doors to configure (because wiring templates with door configurations were selected), they
can be named on the Subpanel: Batch Name Doors page that is displayed. Otherwise the Subpanel: Batch
Create Summary page is presented. On both pages the settings you have configured on the previous pages
are displayed for your review before the subpanels are created.
On the Subpanel: Batch Name Doors, default names for each door are displayed for each door subpanel
being added to the panel. You can edit the door names to match the door-naming standard for your site
before the subpanels are created.
Click Save to create the subpanels and doors and return to the Panel: Edit page. To access the subpanels
you created, click the Subpanels tab.
Adding HID VertX® Subpanels

If you selected VertX® as the panel vendor in the Panel Add page, complete the following procedure:
1. After you save the new panel, the Subpanel: Batch Add page is displayed.
2. Select the number of each subpanel model that is installed at each port then click .
The HID Panel Configure page is displayed.
3. Select the Host tab.
4. Enter the IP address for this panel.
Adding Mercury Security Panels

If you selected Mercury Security as the panel vendor in the Panel Add page, complete the following
procedure:
1. After you save the new panel, the Subpanels: Batch Create page is displayed.
Note: The listed subpanel models will be different depending on the Mercury panel model
that was selected on initial Panel Add page.
2. Select the number of subpanel models that are installed.
3. Click Save.
The Mercury Security Panel Edit page is displayed.
4. Select the Host tab.
5. Enter the IP address for this panel.
Subpanel Fields
For Mercury Security, HID VertX, Schlage ENGAGE gateway (RSI mode) and ASSA ABLOY doors.
Subpanel: Batch Name Doors or Subpanel: Batch Create Summary page 174

Add or edit a subpanel that is supported by the panel on the Subpanels tab in Physical Access > Panels.
Note: Fields in this list are dependent on the door or device. Some commands or fields are not
supported for all doors or devices.
Name A name for the new subpanel, gateway or hub.

Physical A brief description of where the subpanel, gateway or hub is located.
Location
Model The model of the new subpanel, gateway or hub.
Port The port that the subpanel is connected to on the main panel.
For a Schlage AD-300 subpanel, the default is Port 2. For a SmartIntego GatewayNode, or

ASSA ABLOY Aperio hub subpanel, the default is Network.
Installed If checked, the subpanel is installed and able to communicate with the main panel.
Address The RS-485 RSI or IP address for the selected port and for all subpanels except those that
use the network port.
For a SimonsVoss GatewayNode subpanel, the hexadecimal address assigned by the

SmartIntego Tool.
Address Mode For the MR62e module only, DHCP or Static IP.
Elevator Inputs For an MR16IN or MR52 subpanel if checked, the door module is used as an input for an
elevator.
Elevator For an MR16OUT or MR52 subpanel if checked, the door module is used as an output for
Outputs an elevator.
IP Address The subpanel IP address of a gateway or hub; or an MR51e subpanel or MR62e module
operating in Static IP model.
Hostname For an MR62e module, DHCP mode, the hostname of the panel.
The hostname of the gateway.

MAC Address For an MR51e subpanel, the subpanel MAC address.
The MAC address of the gateway.

Low Door For a Schlage RSI-based ENGAGE Gateway or PIM400 subpanel, the lowest door number
in the series that is managed by the subpanel. The numbered doors managed by each
subpanel cannot overlap.
High Door For a Schlage RSI-based ENGAGE Gateway or PIM400 subpanel, the highest door number
in the series that is managed by the subpanel. The numbered doors managed by each
subpanel cannot overlap.
Subpanel: Batch Add page (VertX®)

This page appears if you are adding a new VertX® panel. After you save the initial panel details, this page
allows you to batch add all the subpanels that may be connected to the controller panel.
Subpanel: Batch Add page (VertX®) 175

Feature Description
Port # The port on the panel that the subpanel is connected to.
Model The supported subpanel models.
Quantity Select the number of each subpanel that is installed at each port.
Editing Panels
To edit an existing panel, select the type of panels that you have installed.
Editing HID® VertX® Panels

To edit an existing VertX® panel:
1. On the Panels list, select the panel you want to edit.

The HID Panel Status page is displayed.
2. If necessary, download configuration data, user data, or updated firmware to this panel.
3. Navigate the tabs on the screen to make the required changes.
l Configure – select this tab to change the panel properties.
l Host – select this tab to change the panel's network address.
l Subpanels – select this tab to configure the subpanels that are connected to the panel.
l Events – select this tab to review and configure the events that are associated with the panel.
4. Click at the bottom of each page to save your changes.
Editing Mercury Security Panels

To edit an existing Mercury Security panel:
1. On the Panels list, select the panel you want to edit.

The Mercury Security Panel Status page is displayed.
2. If necessary, download configuration data, user data, or updated firmware to this panel.
3. Select the any tabs on the screen to make the required changes.
l Configure – select this tab to change the panel properties.
l Host – select this tab to configure authentication of the panel, encryption of traffic to and from
the panel, and to change the panel's network address.
l Subpanels – select this tab to configure the subpanels that are connected to the panel.
l Macros – select this tab to add or configure the macros used to perform system actions.
l Triggers – select this tab to define what must occur before a macro is called into action.
l Access Levels – select this tab to review the access levels that have been defined for the
panel.
Editing Panels 176

l Schedules – select this tab to review the schedules that have been defined for the panel.
l Card Formats – select this tab to view the card formats for all doors connected to the panel.
l Events – select this tab to review and configure the events that are associated with the panel.
4. Click at the bottom of each page to save your changes.
Panel Card Formats

When you click the Card Formats tab from the Panel: Edit page the Panel Card Formats page is displayed.
This read-only page displays a table that lists the card formats used on all the doors connected to that panel.
Although the ACM system allows you to define up to 128 card formats system-wide, only 16 card formats can
be used within a single panel.
You can use this table to identify the doors that use each card format. Each row displays a card format in the
Card Formats column, and displays a drop-down menu that displays the number of doors that recognize this.
Click on the drop-down menu bar to see the list of doors.
Resetting Anti-Passback from the Panel

In the event of an emergency, all the people in a building may leave an area at once and arrive at a mustering
area together without using their access card at each door they encounter. This may cause the system to
detect multiple anti-passback conditions.
To avoid granting each individual a free pass, you can reset the anti-passback condition for the panel.
1. On the Panels list, select the panel you want to update.

2. On the Panel Status page, click APB Reset.
A confirmation message is displayed when APB is reset. Badge holders can return to their regular stations
and the system will resume normal operations.
Downloading Parameters
Any changes you make to the panel configuration or related events are automatically downloaded to the
panel daily. However, you can manually download the parameters to immediately activate the updated
configurations.

2. On the Panel Status page, click Parameters.
The application downloads the configured parameters to the panel.
Downloading Tokens
Whenever you add new identities or update door access information in the system, the system automatically
downloads the new details to the panels and doors. However, if the auto-download is unsuccessful, you can
download tokens to the panel manually.
177
2. On the Panel Status page, click Tokens.
The tokens are downloaded to the panel.
Lenel Panel Support

ACM appliances support Lenel panels but you must configure the Lenel panels as Mercury Security panels in
the system.
The following table shows the equivalent Mercury Security panel for each supported Lenel panel.
Mercury Security Lenel Panel

Panel Model Model
SCP-C LNL-500
SCP-2 LNL-1000
SCP-E LNL-2000
EP1502 LNL-2220
EP2500 LNL-3300
EP1501 LNL-2210
MR16in LNL-1100
MR16out LNL-1200
MR50 LNL-1300
MR52 LNL-1320
For example, you have installed a Lenel LNL-1000 panel. As you complete the procedure to add the new
panel, you would select Mercury Security as the vendor and select the SCP-2 as the model.
Since the SCP-2 and the LNL-1000 use the same parameters, the ACM appliance can communicate with the
panels in the same way.
Resetting Doors Connected to a Subpanel

All the subpanels that are connected to the panel can be reset with the latest configurations downloaded
from the ACM system. The download includes any tokens, macros, triggers, inputs, outputs, and reader
configurations.
To reset all the doors that are connected to a specific panel:
1. Click Physical Access > Panels.

2. Click the panel you want to reset.
3. Click the Reset/Download button on the Panel: Status page.
Note: Allow several minutes for the download to complete.
Lenel Panel Support 178

Doors connected to the panel are now updated with the most recent configuration.
Updating Panel Firmware

You can upload firmware updates to the panel, activate the new firmware and apply the latest ACM system
configuration parameters.
CAUTION — Risk of loss of functionality. It is possible to downgrade to an earlier firmware version by

choosing an earlier firmware file. If you do downgrade to an earlier firmware release, functionality
provided in later releases will no longer be available, resulting in unexpected behavior. For example,
override functionality available for Mercury panels in the ACM software 5.12.2 and later, requires the
Mercury firmware version 1.27.1 or later.
1. On the Panels list, select the panel.

2. On the Panel: Status page, click Firmware.
Note: For IP wireless locks, a firmware update is applied to all locks of the same type
managed by the gateway (for example, NDE locks but not LE locks). For offline Wi-Fi locks, a
firmware update is applied to the single selected lock.
3. Do any of the following:

l
Apply a firmware update that is available in the system, click next to the firmware file.
l Upload a new firmware update provided by the manufacturer:
a. Download the firmware file from the manufacturer.
b. Click Add Firmware.
c. Click Choose File and select the firmware file.
d. Click to upload the firmware file.
Note: If you click , the Identity Import Type: will be set to Auto and any
attached CSV files will be deleted.
e. On the Firmware list, click next to the firmware file to apply it to the panel.
l Delete an existing firmware update, click next to the firmware file. Click OK to confirm the
operation.
Updating Panel Time

Each panel tells time by synchronizing with a time server that is accessible on the network. For example, a
network time protocol (NTP) server may be used. In the event of unexpected power or network failure, the
panel may run independently for a while and need to be re-synchronized when everything is back online.
Updating Panel Firmware 179

1. On the Panels list, select the panel.
2. On the Panel: Status page, click Clock. The button is not displayed if clock synchronization is not
supported.
The panel connects and synchronizes with the time server.
SALTO Panel Status
On the Panel: Status tab, see:
The communications status between the SALTO server and ACM appliance. The
current status of the device is indicated by the background color. For more
information, see Status Colors on page 46.
Server Time/Date The date and time of the last import from the SALTO server to the ACM
appliance.
Language Code The language code used.
Protocol Version The SALTO Host Interface Protocol version.
See also:
l Step 3: Syncing Doors with the SALTO Server on page 304
l Downloading All Tokens on page 310
SALTO Panel Configuration
On the Panel: Edit Configure tab, see:
Name Read-only. Up to 50 characters for the name of the server.

Location
Appliance Read-only. The ACM appliance the device is connected to.
Vendor Read-only. SALTO.
Installed Enables communication between the ACM appliance and SALTO server after saving.
See also:
l Step 2: Configuring the SALTO Server on page 303
Deleting Panels
Deleting a panel removes the connection between the ACM system and the panel.
To delete the panel:
SALTO Panel Status 180

1. Select Monitor > Dashboard > Panels or Physical Access > Panels.
2. Click at the end of a row in the Panels table and then click Delete.
3. When the confirmation message appears, click OK.
Configuring Subpanels
Some panels support hierarchical connections. One panel can be connected to a large number of specialized
subpanels, and the subpanels transmit their data to the ACM appliance through the panel.
Adding a Subpanel
Single subpanels can be added to a predefined panel. Gateway and hub subpanels can be added for wired
and wireless locks.
Note: Schlage PIM400, RSI-based ENGAGE Gateway, AD300; Assa Abloy Aperio; and SmartIntego
GatewayNode subpanels can only be added one at a time to a Mercury panel. To batch add other
supported subpanels, see Batch Creating Subpanels on a New Mercury Panel on page 171.
Configuring Subpanels 181

To add subpanels one at a time:
1. Select Physical Access > Panels.

2. Click the name of the panel that is wired to the new subpanel.
3. Select the Subpanels tab.
4. Click Add Subpanel.
5. Enter:
Note: Fields in this list that are not supported by the subpanel or gateway are not displayed.
Name A name for the new subpanel, gateway or hub.

Physical A brief description of where the subpanel, gateway or hub is located.
Location
Model The model of the new subpanel, gateway or hub.
Port The port that the subpanel is connected to on the main panel.
For a Schlage AD-300 subpanel, the default is Port 2. For a
SmartIntego GatewayNode, or ASSA ABLOY Aperio hub subpanel, the default is
Network.
Installed If checked, the subpanel is installed and able to communicate with the main panel.
Address The RS-485 RSI or IP address for the selected port and for all subpanels except
those that use the network port.
For a SimonsVoss GatewayNode subpanel, the hexadecimal address assigned by
the SmartIntego Tool.
Address Mode For the MR62e module only, DHCP or Static IP.
Elevator Inputs For an MR16IN or MR52 subpanel if checked, the door module is used as an input
for an elevator.
Elevator For an MR16OUT or MR52 subpanel if checked, the door module is used as an
Outputs output for an elevator.
IP Address The subpanel IP address of a gateway or hub; or an MR51e subpanel or MR62e
module operating in Static IP model.
Hostname For an MR62e module, DHCP mode, the hostname of the panel.
The hostname of the gateway.
MAC Address For an MR51e subpanel, the subpanel MAC address.
The MAC address of the gateway.
Low Door For a Schlage RSI-based ENGAGE Gateway or PIM400 subpanel, the lowest door
number in the series that is managed by the subpanel. The numbered doors
managed by each subpanel cannot overlap.
High Door For a Schlage RSI-based ENGAGE Gateway or PIM400 subpanel, the highest door
number in the series that is managed by the subpanel. The numbered doors
Adding a Subpanel 182

Editing Subpanels
To edit an existing subpanel:

2. Click the name of the panel the subpanel is connected to.
4. From the Subpanels list, perform any of the following:
l To edit the subpanel details, click the subpanel name.
l
To edit the inputs connected to the subpanel, click for that subpanel.
l
To edit the outputs connected to the subpanel, click for that subpanel.
l
To edit the readers connected to the subpanel, click for that subpanel.
5. On the following listing page, select the specific device you want to edit.
6. Make the required changes to the device edit page.
Inputs
Inputs are associated with panels or doors and can include:
l Motion sensors
l Door contacts
l Smoke detectors
l REX (request to exit) buttons
l Perimeter and fence alarms
l Break glass window sensors
l Crash bars
l Capacitance duct sensors
l Device tamper switches
Inputs can be controlled in two ways:

l Masking
l Unmasking
Masked inputs do not trigger any corresponding outputs.
Unmasked inputs function normally.
The state may change according to several actions, including entry of a proper code or card, or operator
override.
Editing Subpanels 183

Output Operating Modes
Outputs operate in Operating Mode. Operating mode describes how the output behaves during normal
operation.
By choosing the Operating Mode option when editing an output, you can set one of the following options to
define how the output behaves when it is active:
Feature Description
Energized When An electrical current is expected to pass through the output point when it is active.
Active
Not Energized An electrical current is expected to pass through the output point when it is not active.
When Active
Outputs
Outputs are devices that perform tasks in response to input data. This includes unlocking a door, setting off a
fire alarm, activating an elevator or turning off air conditioning. Output devices include:
l Strikes
l Magnetic locks
l Fire alarms
l Klaxons
l Motors of any sort
l HVAC
In general, these devices are activated by door controllers, panels, or subpanels that use relays to initiate
activation. Output devices can have one of the following states:
l On (energized)
l Off (de-energized)
l Pulse (intermittently on and off)
Locks (in general) and strikes (specifically) come in several varieties that support a locked state that is either
energized or de-energized, with a default state that is either locked or unlocked. This is for safety reasons. In
the case of power outages and emergency shutdowns, many doors must 'fail open', meaning that they unlock
whenever the power goes off, allowing people to exit an area. Other doors, such as bank vaults and secured
areas, must 'fail close', meaning that a de-energized state requires the bolt to remain in place. For more on
this, refer to Configuring Doors on page 199 and Configuring Panels on page 167.
Many outputs, such as sliding doors, alarms or warning lights need to be turned on and off. In order to do this,
relays on many panels also provide a pulse feature that energizes the output for a specified amount of time
then de-energizes the output for a specified amount of time.
Doors and other outputs can be activated by the user following a successful card or code entry. Alternatively,
the operator can override normal operation or control the output on the Subpanel Status page.
Deleting Subpanels
To disable communication between a panel and external subpanel, you can delete the subpanel from the
system.
Output Operating Modes 184

2. Click the name of the panel that is connected to the external subpanel.
4. Click next to the subpanel name This button is not displayed for an internal subpanel.
Configuring Locks
To use locks with built-in card or PIN readers, add the related wireless lock subpanel to the system then add
the lock hardware as part of a door. The readers can be either wired or wireless, depending on the lock.
Supported Devices
After the locks with built-in card, PIN or fingerprint readers are installed and configured according to vendor
instructions, ensure the physical configuration matches the configuration in the ACM application as follows.
The readers can be either wired or wireless, depending on the lock.
Note: To support the devices that connect to the LP series hubs, install the applicable LP_nnnn_1_
30_0_662_FS_2_23.crc firmware versions.
Door Panel Subpanel External

System
Wired locks
Allegion Schlage® AD-300 series
Up to 8 wired locks to a Mercury Security EP1501, and Up to 8 AD-300 subpanels. -

panel port EP1501 with downstream
communications support,
Installed with a different Locks have built-in
EP2500, LP1501, LP1502,
number programmed into subpanels.
LP2500 or LP4502
the locks for each set of
doors to be connected to
the panel.
Wireless locks
Allegion Schlage AD-400 series
Up to 16 wireless locks Mercury Security EP2500, and Up to 8 AD-400 subpanels -

LP1501, LP1502, LP2500 to an RS-485 port on the
Each door communicates
or LP4502 controller.
with the subpanel
wirelessly. Each subpanel is wired to a
Mercury Security panel.
Allegion Schlage LE and NDE series
Configuring Locks 185

Up to 10 NDE and/or LE Mercury Security EP2500, or Up to 8 NDE ENGAGE -
wireless locks operating in LP1502, LP2500 or gateways to an RS-485
RSI mode to each gateway LP4502 port on the controller.
Each subpanel is wired to a

Mercury Security panel.
ASSA ABLOY Aperio® series*
Up to 8 devices to an RS- Mercury Security EP1501, and Aperio 1 to 8 Hub, or 1 to 1 -

485 hub EP1501 with downstream Hub
support, EP1502, EP2500
Each door communicates See vendor
or LP4502
with the hub wirelessly. documentation for the
limit.
Up to 64 devices to an LP1502, LP2500 or and Aperio AH40 IP Hub -

IP hub LP4502
Door tamper is supported.
*Aperio Wiegand devices and Wiegand hubs (1 device to 1 hub) are not managed in the ACM system.
SimonsVoss series
Up to 16 wireless locks to Mercury Security EP1501, and Up to 32 SmartIntego -

each gateway. EP1501 with downstream GatewayNode subpanels
communications support, to a network port,
EP1502, EP2500 or MS- depending on the panel.
ICS panel
Up to 16 gateways on Port
4 for EP1501.
Up to 32 gateways on Port
4 for EP1502, EP2500 and
MS-ICS.
Each subpanel is
connected over an
Ethernet network
using TCP.
Configuring ASSA ABLOY™ Aperio® Wireless Lock Technology

To use the ASSA ABLOY Aperio wireless locks, you must have the following panels connected to the system:
l Mercury Security EP1501, EP1501 with downstream support, EP1502, EP2500 or LP4502, or the LP
series for the Aperio AH-40 Hub
l ASSA ABLOY Aperio 1 to 8 Hub, 1 to 1 Hub, or AH-40 Hub
Configuring ASSA ABLOY™ Aperio® Wireless Lock Technology 186

Note: For the Aperio AH-40 Hub, ensure the Enable TLS checkbox is enabled on the hub's ACU
settings in the Aperio programming application.
The wireless lock assembly is installed directly to the door and communicates with the Aperio Hub subpanel
wirelessly.
1. Add the Mercury Security panel to the ACM system.

2. Add the Aperio 1 to 8 Hub, Aperio 1 to 1 Hub, or Aperio AH-40 Hub, as a subpanel to the panel
added in the previous step.
l For the Aperio AH-40 Hub subpanel, enter also the IP Address. For more information, see
Adding a Subpanel on page 181.
Enter also the Aperio ACU Port in the Appliance settings.
3. Add a door for each wireless lock assembly.
a. For each door, select the corresponding Mercury Security panel, Aperio Hub subpanel and
Lock Number that is assigned to the wireless lock assembly.
b. For the Aperio AH-40 Hub subpanel, enter the Device Id (referred to as Lock/Sensor in the
Aperio programming application).
c. Customize all other door settings to meet your system requirements and save your changes.
Configuring Allegion Schlage AD-400 Series Locks

To use Allegion Schlage AD-400 series locks, you must have the following panels connected to the system:
l Mercury Security EP1501, EP2500 with downstream support, or LP1502 panel
l Schalge PIM400 subpanel that is wired to the Mercury Security panel
The wireless lock assembly is installed directly to the door and communicates with the PIM400 subpanel
wirelessly.
Note: Ensure the wireless locks are installed according to Schlage installation instructions.
1. Add a Mercury EP1501, EP2500 or LP1502 panel to the ACM system.

2. Add the PIM400 as a subpanel to the panel in the previous step.
For more information, see Adding Mercury Security Panels on page 174.
3. After the panels have been added to the system, select the Subpanels tab.
4. For each PIM400 subpanel, enter the Low Door and High Door number that is assigned to the
subpanel.
Each PIM400 subpanel manages up to 16 wireless doors in a series. You must identify the lowest
Configuring Allegion Schlage AD-400 Series Locks 187

numbered door and the highest numbered door managed by each subpanel. The numbered doors
5. Create a door for each wireless lock assembly.
6. For each door, select the corresponding Mercury Security panel, PIM400 subpanel and door number
that is assigned to the wireless lock assembly.
7. On the door Parameters tab, you can set the Lock Function for the wireless locks. The options are:
l None: Use the system default door settings.
l Privacy: When the interior lock button is pressed, the door will lock and the exterior lock will not
grant access to any token. To unlock the door, the interior lock button must be pressed again or
exit the room.
l Apartment: Use the interior lock button to toggle between locked and unlocked. When the
door is locked, any valid token will open the door. The door must be manually locked or it will
stay unlocked.
l Classroom — Classroom/Storeroom — The lockset is normally secure. The inside lever always
allows free egress. Valid toggle credentials (i.e. a valid card that is swiped twice within five
seconds) on the exterior may be used to change to a passage or secured status. Not to be used
on mortise deadbolt. Interior push button not to be used.
Note: This is the only lock function supported for the RSI-connected NDE series lock.
l Office — The lockset is normally secure. The inside lever always allows free egress. An interior
push-button on the inside housing may be used to select a passage or secured status. Meets
the need for lockdown function for safety and security. Valid toggle credentials (i.e. a valid card
that is swiped twice within five seconds) on the exterior may also be used to change status. Not
to be used on mortise deadbolt.
Note: A Restore door action is available on the Door listing page and the Hardware Status
page which resets the Door Mode to its default value.
8. Customize all other door settings to meet your system requirements and save your changes.
Configuring Allegion Schlage LE Series Locks

To use Allegion Schlage LE series locks, you must have one of the following panels connected to the system:
l Mercury Security EP1501, EP2500 with downstream support or LP1502 panel
l Schlage ENGAGE™ Gateway subpanel that is wired to the Mercury Security panel
Note: Ensure the wireless locks are installed according to Schlage installation instructions.

1. Add a Mercury EP2500, EP1501 (with downstream) or LP1502 panel to the ACM system:
a. Select Physical Access>Panels.
b. Click .
c. Enter the Name, Vendor and Model.
d. Select Installed.
e. Click to save.
2. Add the required subpanels to the new panel:
l
If using only ENGAGE Gateway subpanels, select the Batch Add option and click .
Note: Make sure the ENGAGE Gateway subpanel configuration matches the physical
gateway.
l If using both Gateway and non-Gateway subpanels, enter the correct number of Gateway
subpanels and/or PIM400s on the Subpanel: Batch Add page (do not select any other panels at
this stage) and click .

For each ENGAGE Gateway subpanel:
a. Click the Subpanels tab. If you are adding non-Gateway subpanels, set the subpanels to
the correct port.
b. Add the subpanel. You can mix and match any subpanels using the same Mercury
Security protocol on the same port (such as ENGAGE Gateway and PIM400). For more
information, see Adding Mercury Security Panels on page 174.
c. Select Installed.
d. Click to save.
4. For each door, select the corresponding Mercury Security panel, ENGAGE Gateway subpanel and
door number that is assigned to the wireless lock assembly.
5. On the door Parameters tab, set the Lock Function for the wireless locks. The options are:
l Privacy: When the interior lock button is pressed, the door will lock and the exterior lock will not
grant access to any token. To unlock the door, the interior lock button must be pressed again or
exit the room.
l Apartment: Use the interior lock button to toggle between locked and unlocked. When the
door is locked, any valid token will open the door. The door must be manually locked or it will
stay unlocked.
l Classroom — Classroom/Storeroom — The lockset is normally secure. The inside lever always
allows free egress. Valid toggle credentials (i.e. a valid card that is swiped twice within five

seconds) on the exterior may be used to change to a passage or secured status. Not to be used
on mortise deadbolt. Interior push button not to be used.
Note: This is the only lock function supported for the RSI-connected NDE series lock.
l Office — The lockset is normally secure. The inside lever always allows free egress. An interior
push-button on the inside housing may be used to select a passage or secured status. Meets
the need for lockdown function for safety and security. Valid toggle credentials (i.e. a valid card
that is swiped twice within five seconds) on the exterior may also be used to change status. Not
to be used on mortise deadbolt.
Note: A Restore door action is available on the Door listing page and the Hardware Status
page which resets the Door Mode to its default value.
Configuring Allegion Schlage NDE Series Locks

To use Allegion Schlage NDE series locks, you must have one of the following panels connected to the
system:
l Mercury EP1501 or EP2500 panel with downstream support.
l ENGAGE Gateway subpanel that is wired to the Mercury Security panel.
Note: Ensure that the wireless locks have been installed in line with Schlage's installation
instructions.
1. Add a Mercury EP2500 or EP1501 (with downstream) panel to the ACM system:
b. Click .
e. Click to save.
Configuring Allegion Schlage NDE Series Locks 190

2. If you are adding:
l just ENGAGE Gateway subpanels, then add all required subpanels to the panel created in the
previous step using the Batch Add option and click .
Note: You will still need to manually make sure that the ENGAGE Gateway has
matching configuration as the physical gateway.
l both Gateway and non-Gateway subpanels, then enter the correct number of Gateway
subpanels and/or PIM400s on the Subpanel: Batch Add page (do not select any other panels at
this stage) and click . For each other subpanel to be added:

o Click on the Subpanels tab to open the Subpanel page. If you are adding non-Gateway
subpanels ensure that the subpanels are set to the correct port.
o Add the subpanel. You can mix and match any subpanels using the same Mercury
Security protocol on the same port (i.e. ENGAGE Gateway and PIM400). For more
information, see Adding Mercury Security Panels on page 174.
For each ENGAGE Gateway subpanel, enter the following and select Installed:
o Port
o Address
o Low Door and High Door number that is assigned to the subpanel.
Each ENGAGE Gateway subpanel manages up to 10 NDE wireless doors. You must identify the
lowest numbered door and the highest numbered door managed by each subpanel. The
numbered doors managed by each subpanel cannot overlap.
4. For each door, select the corresponding Mercury Security panel, ENGAGE Gateway subpanel and
door number that is assigned to the wireless lock assembly.
5. On the door Parameters tab, you can set the Lock Function for the wireless locks. For the NDE series
there is only one lock function: Classroom — Classroom/Storeroom.
Note: There is a Restore door action available on the Door listing page and the Hardware
Status page which resets the Door Mode to its default value.
Configuring SimonsVoss Wireless Locks

To use SimonsVoss series locks, you must have the following panels connected to the ACM system:
l Mercury EP1501 (with downstream support), EP1502, EP2500, or MS-ICS panel.
l SmartIntego GatewayNode subpanel that is connected over an Ethernet network
using TCP. This connection is established after setting up the subpanel in the ACM software.
Configuring SimonsVoss Wireless Locks 191

Prerequisites
Ensure that the wireless locks have been installed and configured according to the SimonsVoss installation
instructions. You must have:
l Configured the hostname, and optionally the IP address, or the MAC address in the SmartIntego
GatewayNode software. For more information, refer to the SimonsVoss documentation for the
SmartIntego GatewayNode software.
Note: To use the MAC address of the wireless lock, the hostname must be configures in the
format MAC<nnnnnnnnnnnn>, where nnnnnnnnnnnn is the MAC address without any colons.
For example, the hostname for a lock with MAC address 12:34:56:78:9A:BC is entered
MAC123456789ABC.
l Identified the hexadecimal address for each SmartIntego GatewayNode and each wireless lock before
you can connect them to the ACM software. This information is available from the SmartIntego Tool as
shown in the figures below. In these examples:
o 0X0011 is the hex address for the SimonsVoss GatewayNode. Enter this value in the Address
field for each SmartIntego GatewayNode in the ACM software (Physical Access > Panel >
Subpanel).
0X0016 is the hex address for the SimonsVoss wireless lock. This is the value entered in the
Door Number field for each SImonsVoss lock in the ACM software (Physical Access > Doors
> Add Door).
Figure 3: The SmartIntego GatewayNode hexadecimal address in the SmartIntego Manager screen of the SmartIntego Tool.
Figure 4: The SmartIntego lock hexadecimal address in the SmartIntego Manager screen of the SmartIntego Tool.
Prerequisites 192
Note: The SmartIntego Tool software and the SmartIntego GatewayNode software are not
supported on Microsoft Windows 10.
Configuring Doors
To configure a door with a SmartIntego wireless lock in the ACM software, use the following steps:
1. Add a supported Mercury panel to the ACM system:

b. Click .
e. Click to save.
2. Optionally, on the Subpanel: Batch Add panel, enter the number of SmartIntego GatewayNode
subpanels. you want to add using the Batch Add option and click .
3. Click on the Subpanels tab to open the Subpanel page.
4. Open each SmartIntego GatewayNode subpanel and enter the following:
l Port—Select Network and select Installed.
l Enter at least one of the following
o IP Address
o MAC Address
o Hostname
l Address—enter the hexadecimal address for the SmartIntego GatewayNode.
Each SmartIntego GatewayNode subpanel manages up to 16 wireless doors.
Note: You will still need to manually make sure that the subpanel configuration matches the
physical gateway
5. Create a door for each wireless lock assembly. Ensure you specify Mercury Security as the vendor.
6. On the Parameters panel for each door, ensure that you do the following:
l Vendor — Select Mercury Security
l Panel — Select the panel that is connected to the SmartIntego GatewayNode for the door.
l Subpanel — Select the subpanel for the SmartIntego GatewayNode that is connected to the
door.
l Door Number — Enter the hexadecimal address for the SmartIntego wireless lock assembly.

l Installed — Click the checkbox.
l Don't pulse door strike on REX — For SimonsVoss wireless locks, such as cylinders, that do
not support a door position switch (DPOS) , this box must not be checked.
7. If the SimonsVoss lock on the door does not support a DPOS, the settings in the following fields have
no effect:
l On the parameters tab:
o Mask Forced Schedule
o Mask held Schedule
o Always Mask Forced
o Always Mask Held
o Offline Mode
o Deny Duress
o Door Forced Filter
o Enable cipher Mode
o Use Shunt Relay
o Detailed Events
o do Not Log Rex Transactions
o Log all grants right away
l On the Operations tab:
o APB Mode
o APB Delay
o Into Area
o Out of Area
o PIN Timeout
o PIN Attempts
o LED Mode
o Held Open Time
o Held Pre Alarm Access Time
o Extended Access
o Extended Held Open Time
o Simple Macros
o Strike Mode
o Access time when open
o Card Format
o The Door status will default to Normal Status
8. Customize the other door settings to meet your system requirements and click .
The ACM system and the SmartIntego GatewayNode subpanel should now connect and the door should be

online.
Troubleshooting
Door Is Not Online
If the door is not online:

l Wait a few minutes: The GatewayNode polls the SimonsVoss wireless lock three times in three
minutes, then polls every three hours, until the door responds. Normally, the door should come online
within three minutes.
l If the door is not online within a few minutes: Check all the connections between the ACM system and
the SmartIntego GatewayNode subpanel, including the power.
Door Status
After the door is operational, certain conditions of the SimonsVoss wireless lock that change the door status
are not always immediately reported to the ACM system. As a result, the door status reported in the ACM
client may not always accurately reflect the actual status of the of the door.
l If you uninstall the door and then reinstall it in the ACM system, the connection between the
SmartIntego GatewayNode subpanel and the SimonsVoss lock is not interrupted. However, the
reinstalled door will appear offline to the ACM system until the SmartIntego GatewayNode subpanel
polls the SimonsVoss lock. This poll happens once every 12 hours, so you may have to wait as long as
12 hours. During this period, the door will function normally but the ACM system will not receive any
events from the door.
l After a power outage to the SmartIntego GatewayNode subpanel, an accurate door status will not be
seen in the ACM system until after the SmartIntego GatewayNode subpanel is online and polling of all
the SimonsVoss doors connected to that subpanel has completed. The time it takes for the subpanel
to come online and start polling can be variable.
l If the batteries in the SimonsVoss lock are depleted or removed, an accurate door status will not be
seen in the ACM system until after 24 hours have elapsed since the last battery status report was
received from the wireless lock. It could take up to 24 hours after battery power has been lost before
the status is correctly reported. Meanwhile, commands can be sent to the door, but nothing happens.
Note: The ACM lockdown priority operation is superseded by the Escape and Return state of the
SimonsVoss wireless lock when it becomes engaged in a lockdown situation.
Macros
Note: Only Mercury Security panels support macros.
Macros are commands, or sequences of commands, that can control the activity of devices connected to a
door, panel, or group of panels.
Troubleshooting 195
Macros can be extremely simple, such as turning out lights or masking an input. Or, they can be sophisticated
multi-step procedures. For example, you can define a macro that closes down the air conditioning system,
unmasks the alarms, locks all the doors connected to a panel, turns out the lights, then emails the operator for
more instructions.
In the Avigilon ACM application, macros can be activated by:

l Triggers
l Interlocks
All doors (not limited to Mercury Security) support simple macros. Simple macros are triggered by a single
door event and activate one output in response. For more information, see Adding Simple Macros on
page 211.
Adding Macros

2. Click the name of the panel that you want to add a macro to.
3. On the Macros page, click Add Macro.
Macros and macro commands are supported for triggers only. Macros and macro commands
associated with interlocks are not supported (read-only).
4. On the following Macro Command list, click the Macro link to change the macro name. In the new text
field, enter a new name for the macro then click OK.
5. Click Add Macro Command.
6. Give the macro command a name.
7. From the Command drop down list, select a macro command.
8. If extra options are displayed after you select a macro command, choose the options you need.
9. From the Group drop down list, select the group you want to assign this macro to.

11. Back at the Macro Command page, repeat the previous steps until you've added all the commands
that are required for this macro.
To apply this macro to a specific situation, see Assigning Macros on the next page.
To create quick macros that are specific to a particular door (simple macros), see Adding Simple Macros on
page 211.
Editing Macros

2. Click the name of the panel with the macro you want to edit.
3. On the Macros page, click the name of the macro you want to edit.
Macros and macro commands are supported for triggers only. Macros and macro commands
associated with interlocks are not supported (read-only).
Adding Macros 196

4. On the following Macro Command list, perform any of the following:
l To change the macro name, click the Macro name link. Enter a new name then click OK.
l To add a new macro command, click Add Macro Command.
l To edit a macro command, click the command type name.
l
To delete a macro command, click for the command.
l To change the order of the macro commands, click Sort.
Deleting Macros

2. Click the name of the panel with the macro you want to delete.
3. On the Macros page, click for the macro you want to delete.
Assigning Macros
Note: Only Mercury Security doors and panels support macros.
Once you have created a macro, you can assign them to specific triggers or other macros so that they can
automatically perform a series of actions under the right conditions.
Assigning a Macro to a Trigger
When you add a trigger to a panel, assigning a macro is part of the process. Triggers and macros work
together as a cause and effect pair. When the all the triggering conditions are met, the macro is automatically
initiated.
To assign a macro to a trigger:
1. Add a macro. For more information, see Adding Macros on the previous page.
2. Add a trigger. For more information, see Adding Triggers on the next page.
3. In the Trigger Add page, assign the new macro to the trigger.
4. Click .
Assigning a Macro to a Macro
You can activate a macro as part of a macro command to generate a complex series of actions.
To assign a macro to a macro command:
1. Add a macro. For more information, see Adding Macros on the previous page.
2. When you add a new macro command, select Macro Control from the Command drop down list.
3. When the related options are displayed, select the macro you want from the Macro drop down list and
Deleting Macros 197

select a specific Command for the macro to perform.
4. When you're finished, click .
Assigning a Macro to a Door
You can also assign a macro to a specific door by using the Simple Macro feature on the Door Operations
page. For more information, see Adding Simple Macros on page 211 and Operations tab (Mercury Security)
on page 256.
Sorting Macros
By default, when you add macro commands, the command actions are activated in the order they are added.
If you need to change the sequence of the macro commands, you can sort it into the order you want.
1. From the panel's Macros page, select the macro you want to sort.
2. On the following Macro Command list, click Sort. This button only appears if you have two or more
macro commands.
Each of the macro commands are highlighted in gray.
3. Click and drag the macro commands into the order you want.
4. Click Return when you are done.
Triggers
Note: Only Mercury Security panels support triggers.
Triggers work with macros to generate a set of cause and effect events. Triggers are the specific sequence of
events that must occur before a macro will be activated.
For example, you might define a trigger to be a tamper alarm issued by a specific subpanel. The macro linked
to that trigger will then automatically lock the door associated with that panel and sound the alarm.
Triggers are usually defined through the Triggers page on a specific panel or subpanel properties sheet.
Adding Triggers
2. Click the name of the panel that you want to add a trigger to.
3. On the Triggers page, click Add New Trigger.
4. Enter all the parameters that are required of the trigger.
5. Click to save the new trigger.
Assigning a Macro to a Door 198

Editing Triggers
2. Click the name of the panel that your trigger is on.
3. On the Triggers page, click the name of the trigger you want to edit.
4. On the following page, make the required changes.
Deleting Triggers
2. Click the name of the panel that your trigger is on.
3. On the Triggers page, click for the trigger you want to delete.
4. When you see the confirmation message, click OK.
Configuring Doors
Doors in the ACM system are logical units incorporating one or more components that are connected to a
panel.
These components could include:

l Door, gate, elevator, escalator, etc.
l Lock (such as magnetic or strike) or relay
l Reader
l Keypad
l Contact
l Panic bar
l ACM Verify
These items do not need to be physically installed on a door, but should be included if they affect how the
door locks or opens.
The usual components for a door are a reader, a lock (usually a strike), and a contact (usually a door position
or DPOS) that reports the door state. Additionally you can have an exit button (request-to-exit or REX) on the
opposite side of the door from the reader, or a second reader if you want to control access in both directions.
You can add doors:

l One at a time, configuring all settings manually.
l One at a time, configuring common or standardized door parameters and operational settings using a
door template. You still need to configure many attributes such as operations, hardware, cameras, and
interlocks specifically for individual doors. You must configure a door template before adding doors
using that template.
l In bulk, when you add a new Mercury panel and use the Subpanel: Batch Create wizard to create the
Editing Triggers 199

subpanels. At a minimum, you must have defined door templates with a Door Mode: option specified,
to create doors with this wizard. You can use this wizard to create:
o Subpanels with functioning doors. This requires door templates (to specify at least the Door
Mode: option) and wiring templates (to assign addresses and input, output and reader
templates to the doors).
o Subpanels with non-functioning doors. This requires door templates (to specify at least the
Door Mode:). You then need to complete the configuration for each door to make them all
function.
o Subpanels only. These can then be configured for doors or for inputs and outputs only, as
needed.
For more information about the templates you can use to create doors and subpanels, see Templates
Overview on page 142. For more information about the Subpanel: Batch Create wizard, see Batch
Creating Subpanels on a New Mercury Panel on page 171.
Searching for Doors

can result in a crowded listing page. You can search for specific doors to narrow the list of doors appearing
on the Doors list page.

the doors you want to see.
l If known, select the Appliance the door is connected to.
l If known, select the Group the door is included in.
2. Click OK.
Advanced Filtering on the Doors List

In addition to searching you can also use advanced filters to select multiple filters on the Door list.
1. Click Advanced Filters.

The Advanced Filters dialog box displays.
2. Select any required filters:
l Alarms—Select the alarms to include from the list of alarms.
l Masked—Select to include the masks to include from the list of masks.
l Normal—Select to include all properly functioning doors.
l Door Mode— Select the door modes to include from the list of door modes.
Searching for Doors 200

Note: To unselect all selected filters, click Unselect All. All selections will be removed.
3. If you want to save the selected filters, select Remember Filters.

4. Click OK.
The Door list refreshes to show the doors that meet your filters.
Controlling Doors
While you are monitoring the system, you may need to override the default door settings to allow a visitor
access to an area, or unlock a door in an emergency situation. From a Doors listing page in Physical
Access or Monitor > Dashboard, use the Door Action, Door Mode, Forced, Held, and Installed drop-down
menus to control doors.
Doors can also be controlled from Monitor > Maps. For more information, see Using a Map on page 452.
Note: Only the Installed options are available for virtual doors installed for use with ACM Verify
readers.
1. Select the checkbox for each the door you want to control.
Or click All at the top of the left column to select all doors or None to deselect all doors.
2. For one or more doors, select a Door Action if required:
Note: The door actions below are not applicable for Schlage offline Wi-Fi doors or SALTO
standalone doors. Only Grant is applicable for Schlage Control™ locks. Only Unlock and
Locked No Access are applicable for Von Duprin remote undogging (RU) devices. Locked No
Access and Disable are not applicable for ASSA ABLOY battery-powered and external-
powered doors.
l Grant — Momentarily grants access to the door to permit a single-time entry.

l Restore — Restores the Door Mode to its default configuration or Custom Mode.
Schlage locks with activated lock functions only. Restoring a door that has an activated Lock
Function (Classroom, Office, Privacy, or Apartment) removes the Lock Function and resets the
door mode to its default configuration.
For ASSA ABLOY IP doors only. Restoring a door results in the door going offline temporarily in
the ACM system.
l Unlock — Unlocks the door. The door remains unlocked until the Locked No Access command
is issued or until an operator override or scheduled action is initiated.

l Locked No Access — Locks the door. The door remains locked until the Restore command is
initiated or until an operator override or scheduled action is initiated.
l Disable — Disables the door. The door stops operating and allows no access to anyone.
l Lock (ASSA ABLOY Only) — For ASSA ABLOY IP doors only. Locks the door. The door remains
locked until a scheduled action is initiated.
3. Select any of the following Door Mode options to change the door mode.
4. Select either of the following Forced options if required:
l Mask Forced — Masks the Forced Door Alarm for the door. The status color changes to blue
and is no longer included in any alarm subtotal.
l Unmask Forced — Unmasks the Forced Door Alarm for the door.
5. Select either of the following Held options if required:
l Mask Held — Masks the Door Held Open Alarm for the door.
l Unmask Held — Unmasks the Door Held Open Alarm for the door.
6. Select either of the following Installed options if required:
l Install — Installs a door. Enables communication between the door and the ACM system.
l Uninstall — Uninstalls a door. Disables communication between the door and the ACM system.
7. Select Delete — Removes the connection between the door and the ACM system.
Adding Doors
To add a new door:
1. Select Physical Access > Doors.
Note: Doors cannot be manually added for Allegion offline Wi-Fi locks, SALTO doors and
ASSA ABLOY IP doors. For information about adding doors and associated panels, see
Step 2: Setting Up Communication to Offline Wi-Fi Locks on page 293, Step 3: Syncing Doors
with the SALTO Server on page 304 and Step 2: Syncing Doors with the Door Service Router
on page 314, respectively.
2. Click Add Door.

3. If door templates are used, the Templates dialog appears. To use the door settings from a template,
which automatically fills in the fields on the Parameters and Operations tabs, select the template and
click OK. Otherwise, click Cancel.
For Schlage IP-mode wireless devices or devices connecting to an RS485 hub, click Cancel.
4. Enter on the Parameters tab:
Adding Doors 202

Name Up to 50 characters for the name of the door. See Appendix: pivCLASS
Alt. Name An alternate name for the door.
Location A short description of the door location.
select a partition.
Panel The panel that controls the door, the gateway that controls the IP-mode wireless
device or the offline Wi-Fi device, or the external server that the ACM appliance is
connected to.
Displays for a panel that is connected to a subpanel that controls readers, locks,
inputs and outputs; or a gateway that controls IP-mode wireless devices.
Subpanel: The name of the subpanel that is connected to the main panel or the
name of the gateway.
Door Number or Lock Number: The door number for wired connections or lock
number for wireless devices. For SimonsVoss wireless locks, use the hexadecimal
address assigned by the SmartIntego Tool.
Device Id: Displays for Aperio AH-40 Hub subpanel only. The Lock/Sensor identifier
from the Aperio programming application.
Displays for a Schlage ENGAGE Gateway.
Lock Model: The lock model from the vendor.
Linked Device: The ID or name of each externally commissioned IP wireless or
offline Wi-Fi device. For more information, refer to the commissioning process in
vendor documentation.
Displays for an ASSA ABLOY DSR.
Lock Type: The battery-powered or external-powered lock type from the vendor.
Serial Number: The serial number of the lock.
Appliance The ACM appliance that is connected to the door, gateway, hub or external server.
Vendor The manufacturer of the panel, gateway, offline Wi-Fi device or external server.
Installed Enables communication between the ACM appliance and installed device after
saving.
Adding Doors 203

Displays for Schlage ENGAGE Gateway subpanel:
Access Type: Displays for an IP-connected wireless device only. Whether access is
located on one or both sides of the door. Default is Single, which cannot be
changed. For more information, see Access Types on page 215.
Door Mode: IP-connected wireless device only. The entry mode for the door when
the gateway is online and communicating with the device. For information about the
Unlocked, Locked No Access and Card Only options, see Door Modes on page 213.
IP-connected RU exit device only (not applicable to RM). The entry mode for the door
when the gateway is online and communicating with the device. For more
information about the Unlocked and Locked No Access (Unlocked on Next Exit)
options, see Door Modes on page 213.
Offline Wi-Fi lock only. The entry mode for the door when the lock is online. For
information about the Card Only option, see Door Modes on page 213.
Lock Function: None is the default (not applicable to RM device).
l Privacy: When the interior lock button is pressed, the door will lock and the
exterior lock will not grant access to any token. To unlock the door, the
interior lock button must be pressed again or exit the room.
Note: Only this lock function is supported for the ASSA ABLOY IP
locks.
l Apartment: Use the interior lock button to toggle between locked and
unlocked. When the door is locked, any valid token will open the door. The
door must be manually locked or it will stay unlocked.
l Classroom — Classroom/Storeroom — The lockset is normally secure. The
inside lever always allows free egress. Valid toggle credentials (i.e. a valid
card that is swiped twice within five seconds) on the exterior may be used to
change to a passage or secured status. Not to be used on mortise deadbolt.
Interior push button not to be used.
Note: Only this lock function is supported for the RSI-connected

NDE series lock.
Note: This lock function is not supported for the IP-connected

LE, LEB, NDE and NDEB series lock, or offline Wi-Fi lock.
l Office — The lockset is normally secure. The inside lever always allows free
Adding Doors 204

egress. An interior push-button on the inside housing may be used to select a
passage or secured status. Meets the need for lockdown function for safety
and security. Valid toggle credentials (i.e. a valid card that is swiped twice
within five seconds) on the exterior may also be used to change status. Not to
be used on mortise deadbolt.
Note: A Restore door action is available on the Door listing page and the
Hardware Status page which resets the Door Mode to its default value.
Always Mask Forced: If selected, Door Forced Open alarms at the door are always
masked.
Always Mask Held: If selected, Door Held Open alarms at the door are always
masked.
Custom Mode: Another door mode that is supported by the gateway.
Custom Schedule: Displays for an IP-connected door (LE, LEB, NDE, NDEB series
lock) if the Card Only door mode is selected, or IP-connected RU device if the Locked
No Access door mode is selected. A predefined time when Custom Mode becomes
active. Never Active is OFF. 24 Hours Active is ON.
For Avigilon, enter:
Station Type: Default is ACM Verify station, which is used on connected devices. A
device that uses this station type of station is called an ACM Verify Station.
Managed: If selected, ACM Verify Station requires the user to grant or deny access
to the person entering a valid PIN code. It also displays the name and picture of the
user for verification.
UnManaged: If selected, ACM Verify Station automatically grants or denies access
and does not provide additional information when a PIN code is entered.
Geographic Timezone: The time zone where the ACM Verify device is located if it is
different from the time zone of the ACM appliance.
Into Area: The area that the badge holder enters by passing through the door and
where the ACM Verify Station is used, or not, to monitor access to the area. You must
specify an area if you want the virtual station to list all the people who have entered
the area.
Station Authentication: The method of authentication on the ACM Verify device.
Login specifies that the user log in to the ACM software using the ACM URL from the
browser on the ACM Verify device. Paired specifies that the ACM Verify is paired to
the ACM system. If the authentication type is Paired, the Door Add page refreshes
and displays the Add Paired Device button.
Tip: The Avigilon settings do not require a panel.
Adding Doors 205

For Mercury Security and HID VertX panel, enter:
Access Type: Whether the reader is located on one or both sides of the door, or on
an elevator door. See Access Types on page 215.
Linked Door: Displays for Paired Primary and Paired Replica access type only. The
door with the reader on the other side of the door.
Door Mode: The entry mode of the door when the door controller is online and
communicating with the panel. See Door Modes on page 213.
Assurance Profile: For Mercury Security LP4502 only. See Appendix: pivCLASS
Offline Door Mode: The entry mode of the door if the door controller is no longer
communicating with the panel.
Note: In many cases readers in offline mode require a very simple solution
for entry or exit because of the memory limitations. The recommended
Offline Door Mode option is Locked No Access.
Custom Mode: Another entry mode that is supported by the door module in addition
to Door Mode and Offline Door Mode options.
Custom Schedule: When the Custom Mode becomes active. Never Active is OFF. 24
Hours Activeis ON.
Masked Forced Schedule: A predefined time when Door Forced Open alarms from
the door will be masked.
Masked Held Schedule: A predefined time when Door Held Open alarms from the
door will be masked.
masked.
masked.
Adding Doors 206

For SALTO panel, enter:
Door Mode: The entry mode of the door after syncing with the SALTO server and
installing the door. See Door Modes on page 213.
Custom Mode: Another entry mode of the door that is time-based (see Custom
Schedule). Can be Unlocked, Card and Pin, Office, Toggle or Keypad Only. If
Keypad Only is selected, Keypad Code is displayed. You can enter up to 8 digits.
See Door Modes on page 213.
Custom Schedule: A predefined time when Custom Mode becomes active.
masked.
masked.
Adding Doors 207

Door For Schlage door, select:
Processing
Attributes
Note: The following three attributes are not applicable to Control locks or
offline Wi-Fi locks.
Log Grants Right Away: Initiates local I/O in the panel using the panel triggers. The
system logs an extra event as soon as a grant occurs (that is, before entry / no entry
is determined). This event is not turned into an Access Control Manager event.
Certain customers may have a trigger they want to fire (to execute a macro) as soon
as there is a grant but before entry / no entry is determined.
Log All Access as Used: Logs all access grant transactions as if the person used the
door. If this field is not selected, the door determines if it was opened and
distinguishes if the door was used or not used for grant.
Detailed Events: Displays the current position of the door position switch (DPOS) in
the Door State column of the door listing screen. When enabled the column displays
“Open” when the DPOS is in an open state and “Closed” when the DPOS is in a
closed state.
Note: To properly report the Door State from the Door Position Switch,
Detailed Events must be enabled.
Typically, five to ten detailed transactions are generated for each grant transactions.
During the normal course of operation, most guards don't need to see extensive
reports on events; however, after hours, it is often useful to see every detail.
Do Not Log Rex Transactions: Indicates that request-to-exit transactions do not get
logged to the database.
Note: This is the only attribute supported for offline Wi-Fi locks.
Adding Doors 208

For Mercury Security panel, select:
system logs an extra event as soon as a grant ocurs (that is, before entry / no entry is
determined). This event is not turned into an Access Control Manager event.
Deny Duress : Denies access to a user that indicates duress at a door.
Don't Pulse Door Strike on REX: Disables the pulse of the door strike output when
the request-to-exit button is pressed and can be used for a 'quiet' exit. If not selected,
the output is pulsed.
Note: This field must not be checked for the SimonsVoss wireless lock, such
as cylinders, on a door that does not support a door position switch (DPOS).
Require Two Card Control: Two tokens are required to open this door. This enforces
the two-person rule at a specified door.
Door Forced Filter: : Filters door-forced alarms. Sometimes a door is either slow to
close or is slammed shut and bounces open for a few seconds. With this filter, the
monitor allows three seconds for a door to close before issuing an alarm.
closed state.
Enable Cipher Mode: Enables the operator to enter card number digits at the door’s
keypad.
Use Shunt Relay:Enables the use of a shunt relay for this door.
Adding Doors 209

For HID VertX panel, select:
Door use Tracking: The level of door event tracking that is logged in the Monitor
screen. These options should only be used when the Detailed Events option is
enabled.
l None: Only standard door events are logged.
l Used: The details of when the door is used.
l Used with pending: The events that occur between door use.
Deny Duress: If selected, denies access to a user who is in duress at a door.
Don't Pulse Door Strike on REX: Disables the pulse of the door strike when request-
to-exit button is activated.
Detailed Events: For circumstances when it is important to know all the details of an
event. Displays the current position of the door position switch (DPOS) in the Door
State column of the Door list. When enabled the column displays “Open” when the
DPOS is in an open state and “Closed” when the DPOS is in a closed state.
Enable Cipher Mode: Allows the operator to enter card number digits at the door’s
keypad.
Do Not Log Rex Transactions: Disables logging of request-to-exit transactions.
For SALTO panel, select:
Detailed events: Enables the reporting of event details, such as Door State and Door
Mode, after syncing and installing the door.
5. Click to add the door. Once saved the page becomes the Door: Edit page. If a door template was
used, the fields on the Parameters and Operations tabs are entered.
6. To edit door configuration, see Editing Doors on the next page. To edit lock configuration, see
Step 3: Configuring IP Wireless Devices on page 284.
l Parameters: Edit access type, processing attributes, lock functions, and other options.
l Operations: Displays for HID VertX, Mercury Security, Schlage wired and RSI wireless locks,
and ASSA ABLOY IP locks only. Edit simple macros, accepted card formats and other options.
l Hardware: Displays for HID VertX, Mercury Security, and Schlage wired and RSI wireless locks
only. Edit reader, door position, strike and request to exit (REX).
l Elev: Displays for Mercury Security only. View elevator door details.
l Cameras: Add or remove associated cameras.
l Interlocks: Displays for Mercury Security only. Sets interlocks.
l Events: View and edit door events.
l Access: Does not display for RU and RM exit devices. View access groups, roles and identities
that have door access.
l Transactions: View door transactions.
Adding Doors 210

Adding Simple Macros
You can add simple macros, or single action commands, to any door in the system. Simple macros are
triggered by one type of door event. This automatically activates the corresponding output.
For more information about macros, see Macros on page 195.
1. Select Physical Access.

The Door list is displayed.
2. Select a door from the Door list.
3. On the Door Edit screen, select the Operations tab.
At the bottom of the page is the Simple Macros section.
4. Select the Type of door event that will activate the output. The options are:
l Forced
l Held
l Pre-Alarm
5. Select when the simple macro will be active from the Schedule drop down list. Only schedules that
have been configured in the system are listed.
6. Select the output that is activated when the selected type of door event is triggered.
7. Click Save Macro.
A new row is automatically added to the table.
8. If you need to add another simple macro, repeat steps 4 - 7 in the new row.
To remove a configured simple macro, simply click Remove Macro. The row is deleted.
Editing Doors
A door can be edited after its initial configuration. For example, you may need to change the access type or
door mode to reflect changes on your site.

2. Select the name of the door.
3. Edit the details on each tab as required:
Adding Simple Macros 211

For field descriptions, see:
l VertX on page 239
l Mercury Security on page 252
l Schlage IP wireless locks, and RU or RM devices on page 286
l SALTO doors on page 304
l ASSA ABLOY IP doors on page 315
4. After editing each tab, click to save your changes.
Doors - Editing VertX® Doors

The Doors list is displayed.
2. From the Doors list, click the VertX® door name you want to edit.
The Door: Edit screen for that specific door type is displayed.
3. Edit the door by changing values on each of the door option tabs.

You are returned to the list with all changes saved.
Doors - Editing Mercury Security Doors

To edit an existing Mercury Security door:

The Doors list page is displayed.
2. Click the door name to select the door you want to edit.
The Door Edit screen for that specific door is displayed.
You are returned to the list with all changes saved.
Deleting Doors
To delete a door:
Doors - Editing VertX® Doors 212

1. From the Door list, click for the door that you want to delete.
The selected door is now removed from the system.
Note: SALTO doors only. When doors are deleted in the ACM system, the corresponding
doors in the SALTO system are not deleted. At the next manual sync in the ACM system, the
door will display as a new uninstalled door.
Door Modes
For Mercury Security and HID VertX panels. The same list of options is provided for the Offline Door Mode
option.
For ASSA ABLOY IP-enabled doors, SALTO standalone doors and Schlage offline Wi-Fi doors. Any locks that
do not support real-time communication with a server, will not display door mode options on the Doors list
page and maps. Door mode can be set on the Door: Edit page and by using a batch job (specification).
Door Mode Description

Disabled The door is disabled for all access.
Unlocked The door is always unlocked.
Locked No Access The door is always locked. No access is allowed through this system.
Locked No Access (Unlocked The door is locked until a person presses the push bar to exit.
on Next Exit)
Facility Code Only The door can be accessed using a facility code.
All employees share a single code. This option can be useful in offline
situations, when the door controller is no longer communicating with the
Card Only The door can be accessed using a card. No PIN is required. To support the
selected Assurance Profile for a pivCLASS configured door, it is
recommended to set the Door Mode to Card Only.
Mercury door only. The type of reader used to read this card is determined
in the Reader Type field.
Door Modes 213

Door Mode Description
Pin Only The door can only be accessed by entering a PIN at a keypad.
No card is required.
Note: This door mode is not available if the 'Allow duplicate PINs'
option has been selected on the System Settings - General page.
Card and Pin The door can only be accessed using both a card and a PIN.
ASSA ABLOY IP door only. If the token does not have a PIN, the door can
be accessed by swiping the card only.
Card or Pin The door can be accessed either by entering a PIN at a keypad or by using
a card at the card reader.
Note: This door mode is not available if the 'Allow duplicate PINs'
Office SALTO door only. The lock allows the cardholder to leave the lock open.
To use this mode, the cardholder presents the key to the door while
pressing down the inner handle and repeats the procedure to undo the
mode.
Toggle SALTO door only. The door allows the cardholder to toggle between
leaving the lock open and closing it by presenting the assigned key (there
is no need to press down the inner handle).
To use this mode, the cardholder presents the key to leave the lock open
and repeats the procedure to close it.
Keypad Only SALTO door only. The door can only be accessed by entering the shared
keypad code at a keypad. If selected, Keypad Code is displayed. You can
enter up to 8 digits.
First Person Through ASSA ABLOY battery-powered or external-powered door only. The first
person who is granted access to the door will unlock the lock.
Exit Leaves Open SALTO door (not connected to control unit) only. The door is unlocked
when the inner door handle is pressed. Allows the cardholder to exit and
return to the building without using an assigned key during an emergency
(referred to as Escape and Return mode).
To lock the door, add a global action to set a time limit on the open door.
Toggle and Exit Leaves Open SALTO door (not connected to control unit) only. The door allows the
cardholder to use either the Toggle or Exit Leaves Open door mode during
an emergency (referred to as Escape and Return mode).
Door Modes 214

Access Types
When you select an Access Type from the Door Edit page, the listed options include:
Note: The options may be different depending on the type of panel that is connected to the door.
Feature Description
Single This is a door with a reader/keypad on only one side, normally entry only.
Paired This indicates that this door possesses a reader/keypad on both sides, entry and exit, and that
Primary this side is the Primary.
If you select this option, the Paired Door option is automatically displayed for you to specify
the other reader that is installed on the door.
Paired This indicates that this door possesses a reader/keypad on both sides, entry and exit, and that
Replica this side is the replica.
If you select this option, the Paired Door option is automatically displayed for you to specify
the other reader that is installed on the door.
Elev no This door is an elevator with no feedback input.
feedback
Elev This door is an elevator with a feedback input.
feedback
Anti-Passback
The anti-passback (APB) feature can be configured to log or prevent a card from being re-used to access the
same area unexpectedly.
For example, the same card cannot be used to enter the same room twice in a row. If a badge holder enters a
room then passes the card to another potential badge holder to reuse the card at the same door, an APB
error is logged and may be configured to prevent the second badge holder from entering.
Another example is when an access card is also required to exit. If a badge holder holds open a door for
another person, the second person would not be able to exit even if they have an access card because the
system requires the badge holder to log an entrance in the system before they can exit.
To set up this feature, complete the following procedures:
Anti-Passback Modes
When you select the Operations tab on the Door Edit page, one of the options is APB Mode.
Anti-Passback (APB) requires that a user must enter and exit a room before they may enter another room. For
example, the typical user of a parking lot would normally swipe their card at the “in” reader to enter the lot
and swipe it at the “out” reader to exit the lot. However, if a user swipes their card at the “in” reader then
passes their card back to a friend, the card would be denied access the second time when it is swiped by the
friend.
To track anti-passback, a card reader must be installed on both the inside and the outside of the door. Users
Access Types 215

are required to use the card to enter and exit the building.
Note: The APB modes may be different depending on the panels you have installed.
Mode Description
No APB is not used.
Selection
Door- Allows you to configure APB with just one reader. The door keeps track of each badge that
Based enters and does not allow the same badge to enter twice in a row until after the APB time limit is
Timed
reached.
APB
Make sure you specify an APB time limit in the APB Delay field. Do not configure the area
entering or area leaving setting for the door.
Note: This mode is only available if using Mercury Security hardware.
Token- Tracks each door a badge has accessed. After the badge has accessed one door, it must access
Based a second door or wait until the APB time limit is reached before it may access the first door
Timed
again.
APB
Make sure you specify an APB time limit in the APB Delay field. Do not configure the area
entering or area leaving setting for the door.
Hard Tracks each badge that enters a door and does not allow the same badge to enter twice in a
Door APB row. This badge will not be able to enter through the same door until it has accessed a second
door.
Enter a value in the APB Delay field to create a time-based APB.
Note: This mode is only available if using VertX® hardware.
Anti-Passback Modes 216

Mode Description
Soft Door Tracks each badge that enters a door and generates a warning transaction if the same badge is
APB used at the same door twice in a row. This badge is still able to enter the door the second time,
but the access is logged as an APB violation.
Note: This mode is only available if using VertX® hardware.
Hard Area Tracks each badge that enters a specific area and defines which areas the badge may access
APB next. The badge is denied access if it tries to access an undefined area. If the badge is used to
access an area that a person is already in, the badge is denied access and an APB violation is
logged.
Make sure you configure the area entering and area leaving setting for the specified door.
Note: The Don't Care setting is not applicable to the Out of Area and Into Area fields. In
addition, this mode is not used across multiple controller panels.
Soft Area Tracks each badge that enters a specific area and defines which areas the badge may access
APB next. The badge is allowed to access the area, but the access is logged as an APB violation.
Timed Time-based hard area APB. When the time limit expires, the hard area APB becomes a soft area
Area APB APB. If a person leaves the area by going through a door marked Out of Area, the APB will be
reset.
Setting Up Anti-Passback
Before you begin, consider what type of anti-passback (APB) mode that you need for each situation. For more
information, see Anti-Passback Modes on page 215.
To use the APB feature, you must set up at least two doors in ACM: one to represent the entrance and one to
represent an exit.
Setting Up Anti-Passback 217

Note: All doors should use the same controller panel for best results. For information about two-
person minimum occupancy on an installed door that uses Mercury panels and controller firmware
1.29.1 or later, see Two-Person Minimum Occupancy and Single Door Configuration below.
1. Create at least one area.

2. Create two doors that are connected to the same panel.
l If there are two distinct doors in the room (for example, a door on opposite ends of a room),
select Single as the Access Type.
l If there is only one door in the room, you still must create two doors in the system. For the
entrance door, select Paired Primary as the Access Type. This door will control all the inputs
and outputs that are connected to the door.
For the exit door, select Paired Replica as the Access Type. This door will only control the
reader that allows badge holders to exit the room.
For both doors, assign the other door as the Linked Door.
3. After the doors have been created, assign an APB Mode for each door on the door's Operations tab.
Remember to click to save the changes on each page.

4. Assign the area you created in the first step for the Into Area for each door.
5. If you created more than one area, select the Out of Area for each door. Otherwise, you can leave it as
Don't Care.
6. If you are setting up a timed APB mode, enter the number of seconds before another entry is allowed
in the APB Delay field.
Two-Person Minimum Occupancy and Single Door Configuration
Mercury Security doors only.
Note: Two-person minimum occupancy is supported on an installed door that uses Mercury panels
and controller firmware 1.29.1 or later.
An area with 2-Person Control enabled in ACM (see Safe in the following example) will enforce a two-person
occupancy minimum in the area. This means that the first access requires two people to swipe their cards
before they can access the area. Any subsequent access requires only one person to swipe their card. When
leaving the area, the last two people need to swipe their cards in order to exit.

To configure a two-person minimum occupancy area and door access for two or more identities and their
tokens:
1. Add and edit two areas in ACM.

Example:
Control area:
Name Enable Area 2-Person Control Doors In Doors Out
Safe Safe Entry Safe Exit
Adjacent lobby:
Name Enable Area
Lobby
For more information, see Adding Areas on page 319 and Editing Areas on page 319
2. Add two doors in ACM to represent the single Mercury Security door.
Example:
Door representing the entry into the two-person minimum occupancy area:
Name Installed Access Type APB Mode Into Area Out of Area
Safe Entry Paired Replica Hard Area APB Safe Lobby
Hardware tab:
Door Position Strike
(not selected) (not selected)
Door representing the exit from the two-person minimum occupancy area:
Operations tab:
Name Installed Access Type APB Mode Into Area Out of Area

Safe Exit Paired Primary Hard Area APB Lobby Safe
Hardware tab:
Door Position Strike
Safe Exit DPOS (Subpanel:N Output:N) Safe Exit Strike (Subpanel:N Output:N)
For more information, see Adding Doors on page 225 and Editing Doors on page 211.
3. Add two or more identities and ensure their tokens are assigned. For more information, see Adding an
Identity on page 69 and Assigning Tokens to Identities on page 71.
If specified, APB Exempt applies to all defined areas.
4. To enter the two-person minimum occupancy area:
l If the area is empty, two people will need to swipe their individual cards to access the area. The
second card must swipe within 15 seconds of the first swipe.
l When the area contains two people, a swipe from a third person (and any subsequent swipe)
will allow access to the area.
5. To leave the two-person minimum occupancy area:
l If the area contains more than two people, a single swipe will allow them to exit the area until
only two people are left in the area.
l When the area contains only two people, both of them will need to swipe to exit the area. The
second card must swipe within 15 seconds of the first swipe.
Granting a Free Pass

You can grant a user one free pass to enter a door without generating an anti-passback error. This feature is
useful if a badge holder swiped their card at a card reader but did not actually enter the area.
For example, an employee uses his access card to unlock the office entrance but is distracted by another
employee before he opens the door. The two employees speak for several minutes, and the door
automatically locks after a set amount of time. When the first employee attempts to unlock the office door
again, this triggers an APB alarm and the employee is locked out. The employee contacts the security officer
and explains the situation, the security officer can grant one free pass to allow the employee back into the
office area.
To grant a free pass:
The Identities list is displayed.
2. From the Identities list, click on the name of the identity.
The Identities: Edit screen is displayed.
4. Beside the 1 free pass button, select a door.
5. Click 1 free pass.
The badge holder can now enter the door without generating an new anti-passback alarm.
Granting a Free Pass 220

Global Anti-Passback
Global anti-passback defines an area for which two or more readers are used to access the area, but are
physically wired to different controllers. If any one reader in that same area receives an APB violation, it will
prevent that badge holder from entering through other doors in same area.
Global Anti-Passback Modes
Global anti-passback is automatically implemented using APB mode. For more information about global anti-
passback modes, see Anti-Passback Modes on page 215.
Interlocks
Note: Only Mercury Security doors support interlocks.
An interlock is a mechanism that enables a specific event from one element of the system to trigger an action
at another element. Interlocks allow you to set up security routines like man-traps, prison entry points, and
automated building functions.
The interlock feature can be accessed from one of three ways:
Accessing Interlocks through Doors

The Doors list is displayed.
2. Select the Mercury Security door that you want to interlock.
The Door Edit screen is displayed.
3. Click the Interlocks tab.
The Door Interlocks list is displayed.
Accessing Interlocks from Subpanel Inputs

The Panels list is displayed.
2. Select the panel you want to interlock.
The Panel Status screen is displayed.
3. Click the Subpanels tab.
The Subpanels list is displayed.
4. Click for the subpanel that is connected to the input you want to interlock.
The Inputs list is displayed.
5. Click the Interlocks link beside the required input.
The Input Interlock list is displayed.
Accessing Interlocks from Subpanel Outputs
Global Anti-Passback 221

The Panels list is displayed.
2. Select the panel you want to interlock.
The Panel Status screen is displayed.
3. Click the Subpanels tab.
The Subpanels list is displayed.
4. Click for the subpanel that is connected to the output you want to interlock.
The Outputs list is displayed.
5. Click the Interlocks link beside the required output.
The Output Interlock list is displayed.
Adding Interlocks
1. From the Interlock list, click Add Interlock. For more information about how to access the different
Interlock Listing pages, see Interlocks on the previous page.
2. On the following Interlock Add page, add the required information.
Notice that as you select options, new fields are displayed to help you further define your
requirements.
3. When you're finished, click to save the new interlock.
Editing Interlocks
1. From the Interlock list, click the name of an interlock. For more information about how to access the
different Interlock Listing pages, see Interlocks on the previous page.
2. On the following Interlock Edit page, make the required changes.
Doors list
The Doors page lists of all the doors you are authorized to see and control. From this list you can control
doors, as well as add and delete doors, edit doors and their associated controller panels, and create
overrides to temporarily change the normal status of selected doors.
Note: Overrides can only be applied to installed doors on Mercury panels using controller firmware
1.27.1 or later.
Select Physical Access > Doors to access the Doors list.

Searching, sorting, and filtering
can result in a crowded listing page. You can search for specific doors to narrow the list of doors, filter the
columns for specific values, and create and save custom filters. You can then sort the results using any one
Adding Interlocks 222

column.
Searching the list:

the doors you want to see.
l If known, select the Appliance the door is connected to.
l If known, select the Group the door is included in.
2. Click OK.
Creating a filter to select multiple filters:
1. Click Advanced Filters to open the Advanced Filters dialog box.

2. Select filters:
l Alarms—Select the alarms to include from the list of alarms.
l Masked—Select to include the masks to include from the list of masks.
l Normal—Select to include all properly functioning doors.
l Door Mode— Select the door modes to include from the list of door modes.
To unselect all selected filters, click Unselect All.
3. If you want to save the selected filters, select Remember Filters.
4. Click OK.
Sorting the list:
1. Click in a column heading:

l Click to sort in ascending order.
l
Click to sort in descending order.
To see the legend for all the device statuses:
l Click Legend to see the list of statuses and the related icons.
There are three groupings which are color-coded — Normal , Alarms , Masked :
Adding and deleting doors
l Click the Add Door button to define a new door. For more information, see Adding Doors on
page 225.
l Select doors in the list and click the Delete button.
Editing doors and panels:
l Click the link to the door in the Name column. For more information, see Editing Doors on page 211.
l Click the link to the panel in the Panel column.
Controlling doors:
Select doors in the list and then use the drop-down options from the control buttons at the top of the page to
Doors list 223

control them:
l Door Action
l Door Mode
l Forced
l Held
l Installed
For more information, see Controlling Doors on page 201.

Creating a Door Configuration report
l Click Create New Report to generate a Door Configuration report on the doors in this list.
The following information is displayed for each door in the list:
Column Heading Description
All/None Use this toggle to select and deselect all the doors currently visible in the list. Or you
can use the checkbox to select individual doors.
Device status Displays the device status. Hover the mouse over the related icon to see more
details.
Note: The tamper icon only appears for OSDP readers, and reports whether
the reader is offline or has been tampered with.
Name The name assigned to this door.
Click on this name to open the Door: Edit page Parameters tab.
Panel The name of the panel to which this door is connected. Click on this name to open
the Panel: Edit page Configure tab.
Door state Current state of the related door: Open or Closed.
Note: To properly report the Door State from the Door Position Switch, the
Detailed Events parameter must be enabled for the door. If this parameter is
not set for a door, edit the parameters for the door.
Doors list 224

Column Heading Description
Door mode Indicates the door mode — the method by which the door is opened:
l Disabled
l Unlocked
l Locked No Access
l Facility Code Only
l Card Only
l Pin Only
l Card & Pin
l Card or Pin
Adding Doors
To add a new door:
Note: Doors cannot be manually added for Allegion offline Wi-Fi locks, SALTO doors and
ASSA ABLOY IP doors. For information about adding doors and associated panels, see
Step 2: Setting Up Communication to Offline Wi-Fi Locks on page 293, Step 3: Syncing Doors
with the SALTO Server on page 304 and Step 2: Syncing Doors with the Door Service Router
on page 314, respectively.
2. Click Add Door.

3. If door templates are used, the Templates dialog appears. To use the door settings from a template,
which automatically fills in the fields on the Parameters and Operations tabs, select the template and
click OK. Otherwise, click Cancel.
For Schlage IP-mode wireless devices or devices connecting to an RS485 hub, click Cancel.
4. Enter on the Parameters tab:
Name Up to 50 characters for the name of the door. See Appendix: pivCLASS
Alt. Name An alternate name for the door.
Location A short description of the door location.
Adding Doors 225

select a partition.
Panel The panel that controls the door, the gateway that controls the IP-mode wireless
device or the offline Wi-Fi device, or the external server that the ACM appliance is
connected to.
Displays for a panel that is connected to a subpanel that controls readers, locks,
inputs and outputs; or a gateway that controls IP-mode wireless devices.
Subpanel: The name of the subpanel that is connected to the main panel or the
name of the gateway.
Door Number or Lock Number: The door number for wired connections or lock
number for wireless devices. For SimonsVoss wireless locks, use the hexadecimal
address assigned by the SmartIntego Tool.
Device Id: Displays for Aperio AH-40 Hub subpanel only. The Lock/Sensor identifier
from the Aperio programming application.
Displays for a Schlage ENGAGE Gateway.
Lock Model: The lock model from the vendor.
Linked Device: The ID or name of each externally commissioned IP wireless or
offline Wi-Fi device. For more information, refer to the commissioning process in
vendor documentation.
Displays for an ASSA ABLOY DSR.
Lock Type: The battery-powered or external-powered lock type from the vendor.
Serial Number: The serial number of the lock.
Appliance The ACM appliance that is connected to the door, gateway, hub or external server.
Vendor The manufacturer of the panel, gateway, offline Wi-Fi device or external server.
saving.
Adding Doors 226

Displays for Schlage ENGAGE Gateway subpanel:
Access Type: Displays for an IP-connected wireless device only. Whether access is
located on one or both sides of the door. Default is Single, which cannot be
changed. For more information, see Access Types on page 215.
Door Mode: IP-connected wireless device only. The entry mode for the door when
the gateway is online and communicating with the device. For information about the
Unlocked, Locked No Access and Card Only options, see Door Modes on page 213.
IP-connected RU exit device only (not applicable to RM). The entry mode for the door
when the gateway is online and communicating with the device. For more
information about the Unlocked and Locked No Access (Unlocked on Next Exit)
options, see Door Modes on page 213.
Offline Wi-Fi lock only. The entry mode for the door when the lock is online. For
information about the Card Only option, see Door Modes on page 213.
Lock Function: None is the default (not applicable to RM device).
l Privacy: When the interior lock button is pressed, the door will lock and the
exterior lock will not grant access to any token. To unlock the door, the
interior lock button must be pressed again or exit the room.
Note: Only this lock function is supported for the ASSA ABLOY IP
locks.
l Apartment: Use the interior lock button to toggle between locked and
unlocked. When the door is locked, any valid token will open the door. The
door must be manually locked or it will stay unlocked.
l Classroom — Classroom/Storeroom — The lockset is normally secure. The
inside lever always allows free egress. Valid toggle credentials (i.e. a valid
card that is swiped twice within five seconds) on the exterior may be used to
change to a passage or secured status. Not to be used on mortise deadbolt.
Interior push button not to be used.
Note: Only this lock function is supported for the RSI-connected

NDE series lock.
Note: This lock function is not supported for the IP-connected

LE, LEB, NDE and NDEB series lock, or offline Wi-Fi lock.
l Office — The lockset is normally secure. The inside lever always allows free
Adding Doors 227

egress. An interior push-button on the inside housing may be used to select a
passage or secured status. Meets the need for lockdown function for safety
and security. Valid toggle credentials (i.e. a valid card that is swiped twice
within five seconds) on the exterior may also be used to change status. Not to
be used on mortise deadbolt.
Note: A Restore door action is available on the Door listing page and the
Hardware Status page which resets the Door Mode to its default value.
masked.
masked.
Custom Mode: Another door mode that is supported by the gateway.
Custom Schedule: Displays for an IP-connected door (LE, LEB, NDE, NDEB series
lock) if the Card Only door mode is selected, or IP-connected RU device if the Locked
No Access door mode is selected. A predefined time when Custom Mode becomes
active. Never Active is OFF. 24 Hours Active is ON.
For Avigilon, enter:
Station Type: Default is ACM Verify station, which is used on connected devices. A
device that uses this station type of station is called an ACM Verify Station.
Managed: If selected, ACM Verify Station requires the user to grant or deny access
to the person entering a valid PIN code. It also displays the name and picture of the
user for verification.
UnManaged: If selected, ACM Verify Station automatically grants or denies access
and does not provide additional information when a PIN code is entered.
Geographic Timezone: The time zone where the ACM Verify device is located if it is
different from the time zone of the ACM appliance.
Into Area: The area that the badge holder enters by passing through the door and
where the ACM Verify Station is used, or not, to monitor access to the area. You must
specify an area if you want the virtual station to list all the people who have entered
the area.
Station Authentication: The method of authentication on the ACM Verify device.
Login specifies that the user log in to the ACM software using the ACM URL from the
browser on the ACM Verify device. Paired specifies that the ACM Verify is paired to
the ACM system. If the authentication type is Paired, the Door Add page refreshes
and displays the Add Paired Device button.
Tip: The Avigilon settings do not require a panel.
Adding Doors 228

For Mercury Security and HID VertX panel, enter:
Access Type: Whether the reader is located on one or both sides of the door, or on
an elevator door. See Access Types on page 215.
Linked Door: Displays for Paired Primary and Paired Replica access type only. The
door with the reader on the other side of the door.
Door Mode: The entry mode of the door when the door controller is online and
communicating with the panel. See Door Modes on page 213.
Assurance Profile: For Mercury Security LP4502 only. See Appendix: pivCLASS
Offline Door Mode: The entry mode of the door if the door controller is no longer
communicating with the panel.
Note: In many cases readers in offline mode require a very simple solution
for entry or exit because of the memory limitations. The recommended
Offline Door Mode option is Locked No Access.
Custom Mode: Another entry mode that is supported by the door module in addition
to Door Mode and Offline Door Mode options.
Custom Schedule: When the Custom Mode becomes active. Never Active is OFF. 24
Hours Activeis ON.
Masked Forced Schedule: A predefined time when Door Forced Open alarms from
the door will be masked.
Masked Held Schedule: A predefined time when Door Held Open alarms from the
door will be masked.
masked.
masked.
Adding Doors 229

For SALTO panel, enter:
Door Mode: The entry mode of the door after syncing with the SALTO server and
installing the door. See Door Modes on page 213.
Custom Mode: Another entry mode of the door that is time-based (see Custom
Schedule). Can be Unlocked, Card and Pin, Office, Toggle or Keypad Only. If
Keypad Only is selected, Keypad Code is displayed. You can enter up to 8 digits.
See Door Modes on page 213.
Custom Schedule: A predefined time when Custom Mode becomes active.
masked.
masked.
Adding Doors 230

Door For Schlage door, select:
Processing
Attributes
Note: The following three attributes are not applicable to Control locks or
offline Wi-Fi locks.
system logs an extra event as soon as a grant occurs (that is, before entry / no entry
is determined). This event is not turned into an Access Control Manager event.
closed state.
Note: This is the only attribute supported for offline Wi-Fi locks.
Adding Doors 231

For Mercury Security panel, select:
system logs an extra event as soon as a grant ocurs (that is, before entry / no entry is
determined). This event is not turned into an Access Control Manager event.
Deny Duress : Denies access to a user that indicates duress at a door.
Don't Pulse Door Strike on REX: Disables the pulse of the door strike output when
the request-to-exit button is pressed and can be used for a 'quiet' exit. If not selected,
the output is pulsed.
Note: This field must not be checked for the SimonsVoss wireless lock, such
as cylinders, on a door that does not support a door position switch (DPOS).
Require Two Card Control: Two tokens are required to open this door. This enforces
the two-person rule at a specified door.
Door Forced Filter: : Filters door-forced alarms. Sometimes a door is either slow to
close or is slammed shut and bounces open for a few seconds. With this filter, the
monitor allows three seconds for a door to close before issuing an alarm.
closed state.
Enable Cipher Mode: Enables the operator to enter card number digits at the door’s
keypad.
Use Shunt Relay:Enables the use of a shunt relay for this door.
Adding Doors 232

For HID VertX panel, select:
Door use Tracking: The level of door event tracking that is logged in the Monitor
screen. These options should only be used when the Detailed Events option is
enabled.
l Used: The details of when the door is used.
l Used with pending: The events that occur between door use.
Deny Duress: If selected, denies access to a user who is in duress at a door.
Don't Pulse Door Strike on REX: Disables the pulse of the door strike when request-
to-exit button is activated.
Detailed Events: For circumstances when it is important to know all the details of an
event. Displays the current position of the door position switch (DPOS) in the Door
State column of the Door list. When enabled the column displays “Open” when the
DPOS is in an open state and “Closed” when the DPOS is in a closed state.
Enable Cipher Mode: Allows the operator to enter card number digits at the door’s
keypad.
For SALTO panel, select:
Detailed events: Enables the reporting of event details, such as Door State and Door
Mode, after syncing and installing the door.
5. Click to add the door. Once saved the page becomes the Door: Edit page. If a door template was
used, the fields on the Parameters and Operations tabs are entered.
6. To edit door configuration, see Editing Doors on page 211. To edit lock configuration, see
Step 3: Configuring IP Wireless Devices on page 284.
Adding Doors 233

Doors - VertX® New Parameters page
After you save a new door for the first time, the screen refreshes and displays the initial Parameters page for
the door.
Feature Description
Name The name of the door.
Alt Name The alternative name of the door.
Location The location of the door.
Appliance The appliance the door is connected to.
Vendor The name of the door manufacturer.
Installed Enables communication between the ACM appliance and installed device after saving.
partition.
Panel Specify the panel the door is assigned to.
After you make your selection, new options may be displayed to define how the door is
connected to the panel.
Subpanel Specify the subpanel that is connected to the door.
This option is only displayed if there is a subpanel connected to the specified panel.
Lock Number Specifies a configured group of readers, inputs, and outputs that are connected from the
subpanel to the door. Select the lock number from the drop-down list.
Access Type Select the Access Type for the door.
Tip: If the access type is a paired door (paired primary or paired replica), the Door
Add page re-displays with the additional field, Paired Door. Select the Paired Door
option from the drop down list.
Door Mode Select the entry mode for the door when the door controller is online and communicating
with the panel.
Offline Door Select the entry mode used for the door if the door controller is no longer communicating
Mode with the panel.

Feature Description
Custom Mode Select any additional door mode the door must support outside the Door Mode and Offline
Mode options.
Schedule
system are listed.
Mask Forced Define when Door Forced Open alarms from this door will be masked.
Schedule
system are listed.
Mask Held Define when Door Held Open alarms from this door will be masked.
Schedule
system are listed.
Always Mask Check this box to mask all Forced Door events.
Forced
Always Mask Check this box to mask all Door Held Open events.
Held
Door use Select one of the listed options to define the level of door event tracking that is logged in
Tracking the Monitor screen.
l None: only standard door events are logged
l Used: includes the details of when the door is used
l Used with pending: includes the events that occur between door use.
These options should only be used when the Detailed events option is enabled.
Deny Duress If a user indicates duress at a door, checking this box denies access.
Don't Pulse Check this box to disable the pulse of the door strike when request-to-exit button is
Door Strike activated.
on REX
Detailed Check this box to generate detailed events of all hardware at the door including door
Events position masking, timer expiration and output status.
event.
Enable Cipher Check this box to enable cipher mode.
Mode
Cipher mode allows the operator to enter card number digits at the door’s keypad.
Do Not Log Check this box to disable logging of request-to-exit transactions.
Rex
Transactions

Doors - Mercury Security New Parameters page
After you save a new door for the first time, the screen refreshes and displays the initial Parameters page for
the door.
Feature Description
partition.
Panel Specifies the panel the door is assigned to.
Subpanel Specifies the subpanel that is connected to the door.
This option is only displayed if there is a subpanel connected to the selected main panel.
Door Number A configured group of readers, inputs, and outputs that are connected from the subpanel to
the door.
For wired connections, the door number from the drop-down list.
For wireless locks only:

l The number programmed for the lock. For all locks except SimonsVoss, select the
number from the drop-down list.
l For SimonsVoss wireless locks, the hexadecimal address assigned by the
SmartIntego Tool. For more information, see Configuring SimonsVoss Wireless Locks
on page 191.

Feature Description
Access Type Select the Access Type from the drop down list.
Door mode The entry mode for the door when the door controller is online and communicating with the
panel.
Select a Door Mode option from the drop down list.

Offline Door The entry mode used for the door if the door controller is no longer communicating with the
Mode panel.
Select the Offline Mode option from the drop down list.
Lock Select how the interior lock button will function.
Function
l Privacy — When you press the interior lock button, the door will lock and the exterior
lock will not grant access to any token. To unlock, you must press the interior lock
button again or exit the room.
l Apartment — When you press the interior lock button, the door will lock but any valid
token will open the door. The door must be manually locked or it will stay unlocked.
l Classroom — Classroom/Storeroom. The lockset is normally secure. The inside lever
always allows free egress. Valid toggle credentials (i.e. a valid card that is swiped
twice within five seconds) on the exterior may be used to change to a passage or
secured status. Not to be used on mortise deadbolt. Interior push button not to be
used.
l Office — The lockset is normally secure. The inside lever always allows free egress.
An interior push-button on the inside housing may be used to select a passage or
secured status. Meets the need for lockdown function for safety and security. Valid
toggle credentials (i.e. a valid card that is swiped twice within five seconds) on the
exterior may also be used to change status. Not to be used on mortise deadbolt.
There is a Restore door action available on the Hardware Status page or Door Listing page
which resets the door's configuration values to their default value. If the door is in any mode
(Classroom, Office, Privacy, or Apartment) it will be 'restored' to the opposite status (e.g. if
the door is in Privacy mode then it is locked - if the Restore option is selected then the door
will return to its default mode, which is the mode set in the base configuration for the door).

Feature Description
Custom Select any additional door mode the door must support outside the Door Mode and Offline
Mode Mode options.
Schedule
system are listed.
Schedule
system are listed.
Schedule
system are listed.
Always Mask Check this box to specify that Door Forced Open alarms at this door are always masked.
Forced
Normally, this box is unchecked.
Always Mask Check this box to specify that Door Held Open alarms at this door are always masked.
Held
Log grants When this box is checked, the system logs an extra event as soon as there is a grant (that is,
right away before entry / no entry is determined). This event is not turned into a Access Control
Manager event. Check this box in order to initiate local I/O in the panel using the panel
triggers.
Certain customers may have a trigger they want to fire (to execute a macro) as soon as there
is a grant but before entry / no entry is determined.
Deny duress Check this box to deny access to a user that indicates duress at a door.
Don't pulse Check this box to disable the pulse of the door strike output when the request-to-exit button
door strike on is pressed and can be used for a 'quiet' exit.
REX
If this box is not checked, the output is pulsed.
For SimonsVoss wireless lock doors that do not support a door position switch (DPOS) , this
box must not be checked.
Require two Check this box to specify that two tokens are required to open this door. This enforces two-
card control person rule at a specified door.
Door Forced Check this box to enable the filter feature for door forced alarms.
Filter
There are instances when a door is either slow to close or is slammed shut and bounces
open for a few seconds. With this filter, the monitor allows three seconds for a door to close
before issuing an alarm.
Log all access Check this box to log all access grant transactions as if the person used the door. If this box
as used is not checked, the door determines if it was opened and will distinguish if the door was
used or not used for grant.

Feature Description
Detailed Check this box to display the current position of the door position switch (DPOS) in the Door
events State column of the door listing screen. When enabled the column will display “Open” when
the DPOS is in an open state and “Closed” when the DPOS is in a closed state.
Note: To properly report the Door State from the Door Position Switch, Detailed
Events must be enabled.
Typically, five to ten detailed transactions will be generated for each grant transactions.
During the normal course of operation, most guards don't need to see extensive reports on
events; however, after hours, it is often useful to see every detail.
Enable cipher Check this box to enable cipher mode.
mode
Use Shunt Check this box to enable the use of a shunt relay for this door.
Relay
Do Not Log Check this box to indicate that return-to-exit transactions do not get logged to the database.
Rex
Transactions
Doors - Door: Edit Screen

When you click the name of an existing door from the Doors list, the Door: Edit screen is displayed.
For definitions of the relevant fields and pages for each door type, refer to the page specific to your door
vendor.
l Door: Edit page (VertX® ) below
l Door: Edit page (Mercury Security) on page 252
Door: Edit page (VertX® )
When you select a VertX® door, the configurable options are arranged in tabs on the Door: Edit page.
Parameters tab (VertX® )
Define the door connections, door mode, schedule and processing attributes on the Parameters tab on the
Door Edit page.

Doors - Door: Edit Screen 239

partition.
Panel The panel the door is assigned to.
Subpanel The subpanel that is connected to the door.
This option is only displayed if there is a subpanel connected to the specified panel.
Lock Number A configured group of readers, inputs, and outputs that are connected from the subpanel to
the door. Select the lock number from the drop-down list.
Access Type The Access Type for the door.
Door Mode The entry mode for the door when the door controller is online and communicating with the
panel.
Offline Door The entry mode used for the door if the door controller is no longer communicating with the
Mode panel. The Offline Door Mode is no longer supported if the door controller is connected to
an LP4502 panel that has replaced an HID VertX panel.
Custom Any additional door mode the door must support outside the Door Mode and Offline Mode
Mode options.
Custom When the Custom Mode would be active.
Schedule
system are listed.
Mask Forced When Door Forced Open alarms from this door will be masked.
Schedule
system are listed.

Mask Held When Door Held Open alarms from this door will be masked.
Schedule
system are listed.
Always Mask Check this box to mask all Forced Door events.
Forced
Always Mask Check this box to mask all Door Held Open events.
Held
Door use The level of door event tracking that is logged in the Monitor page.
Tracking
l Used: Includes the details of when the door is used.
l Used with pending: Includes the events that occur between door use.
These options should only be used when the Detailed events option is enabled.
Deny Duress If a user indicates duress at a door, checking this box denies access.
Don't Pulse Check this box to disable the pulse of the door strike when request-to-exit button is
Door Strike activated.
on REX
Detailed Check this box to generate detailed events of all hardware at the door including door
Events position masking, timer expiration and output status.
event.
Enable Check this box to enable cipher mode.
Cipher Mode
Do Not Log Check this box to disable logging of request-to-exit transactions.
Rex
Transactions
Create New Click this button to generate a PDF report on this door.
Report
Add Door Click this button to add a new door.
Transaction Click this button to generate a PDF transaction report on this door.
Report
Show Policy Click this button to generate a PDF report on the current door policy.
Click this button to delete this door.
Click OK in the dialog box that displays to confirm the deletion. The door will be deleted and
you will be returned to the Doors list.

Operations tab (VertX®)
Edit door operations, including the door mode, door held pre-alarms, anti-passback and strike modes.

Lock The number ID for the set of inputs/outputs that are connected from the subpanel to the door.
Number
This option is only displayed if there are inputs or outputs connected to the selected
subpanel.
APB Mode The anti-passback mode for the door.
For a description of each option, see Anti-Passback Modes on page 215.

APB Delay The number of seconds before another entry is allowed.
Enter the number of seconds.

Into Area The area the user enters when passing through the door. If no area is specified, any location
is valid.
Select the area from the drop down list. Only those areas currently defined for this system
appear in this list.
Out of area The area the user moves into when exiting the door.
Select the area from the drop down list.

Strike Mode When a door should unlock. Specifies if the strike is deactivated when the door is opened,
when the door is closed, or when the strike timer expires.
Select the strike mode from the drop down list.

l Cut short when open — the strike is deactivated on open
l Turn off on close — the strike is deactivated on close.
l Full strike time — the strike is deactivated when the timer expires.
Held Pre- The number of seconds a door can be held open before a pre-alarm is issued.
Alarm
Instead of generating an alarm, it sends a warning signal to the Access Control Manager host.

Minimum The minimum amount of time the door will be unlocked. Each time the door is unlocked and
Strike Time open, the door will remain unlocked for the set amount of time. If you hold the door open for
longer than the set amount of time, the door automatically re-locks when it closes.
Enter the number of seconds. Default setting is 0 seconds.

Standard The standard number of seconds the strike will be activated.
Access time
Enter the number of seconds. If the door is not opened within this interval, the door is
automatically locked.
Held Open The number of seconds the door can be held open before a Door Held Open event is
Time generated. See also the Held Pre-Alarm and Extended Held Open Time fields.
Extended The strike time for a door configured for persons that require more time to enter through a
Access door.
Enter the number of seconds.

Extended The number of seconds the door can be held open for users with extended access
Held Open permissions.
Time
Card The card formats that are compatible with the reader at the door.
Formats
Check the box beside the card formats that apply.
Simple Macros
Type A default macro that is triggered when the following conditions are met for this door.
Currently available macros include:
l Forced
l Held
l Pre-Alarm
system are listed.
Output An output that is activated by the Type condition.
Commands Click Save Macro to save the settings for this canned macro. If this is a new macro, a new row
is automatically added below.
Click Remove Macro to delete a macro. This button only appears if the macro has been saved
in the system.
For more information, see Adding Simple Macros on page 211.

Report
Add Door Click this button to add a new door to the system.

Report
Hardware tab (VertX®)
When you click the Hardware tab at the Door Edit screen, the HID Hardware page is displayed. This page
allows you to connect and edit readers, inputs and outputs to the door.
Feature Description
Number
subpanel.
To edit one of the readers, inputs or outputs that are connected to the door, click beside
the hardware item:
l
If you click beside the Reader or Alternate Reader, the Reader Edit page is
displayed.
l
If you click beside the Door Position, REX #1 or Rex#2, the Input Edit page is
displayed.
l
If you click beside Strike, the Output Edit page is displayed.
Report
Add New Click this button to add a new door to the system.
Door
Hardware tab (VertX®) 244

Feature Description
Report
Reader Edit page (VertX®)

When you click the icon beside the Reader or Alternate Reader field on the Door Hardware page, the
Reader Edit page is displayed. This page allows you to define the options for this reader.
Feature Description
Name Enter the name of this reader.
Alt. name Enter an alternative name for this reader.
Location Enter a brief description of the location of this reader.
Keypad From the drop down option list, select the keypad decode or enryption method you want to use
decode for this reader. Choose from these options:
l Hughes ID 4-bit
l Indala
Wiegand Check this box to indicate that this reader supports the Wiegand standard.
NCI Check this box to indicate that this reader supports the NCI magstripe standard.
magstripe
Input Edit page (VertX®)

When you click the icon beside the Door Position or REX # field on the Door Hardware page, the Input
Edit page is displayed. This page allows you to define the options for this input.
Feature Description
Input The name of the input point.
Address The read-only address of this point.
Supervision If resistors are used to monitor the input, select the level of resistance expected to indicate
open or closed.
Reader Edit page (VertX®) 245

Feature Description
Debounce1 From the drop down list, select the number of units this input should be allowed to debounce.
The units are listed in milliseconds (ms).
Cameras Select the camera from the window that this input activates if it goes into alarm.
Only the cameras that have been added to the system are listed.
Show Policy Click this button to display the policies associated with this input module.
Output Edit page (VertX®)

When you click the icon beside the Strike field on the Door Hardware page, the Output Edit page is
displayed. This page allows you to define the options for this output.
Note: VertX® output panels do not have an operating mode option because they are automatically
energized when active. You can set the panels to be "not energized when active" if wired in reverse.
Feature Description
Output The name of this output point.
Address The read-only address for this output point.
Show Click this button to display the policies associated with this output module.
Policy
Output Edit page (VertX®) 246

Cameras tab (VertX®)
When you click the Cameras tab on the Door Edit screen, the HID Camera page is displayed. From this page,
you can assign specific cameras to record video of the selected door.
Feature Description
saving.
Partitions Displayed for a partitioned ACM appliance only. To restrict operator access to
the item, select one or more partitions. To allow all operators access to the item,
do not select a partition.
After you make your selection, new options may be displayed to define how the
door is connected to the panel.
Not applicable to Avigilon doors.

This option is only displayed if there is a subpanel connected to the selected

main panel.

Lock Enter the number ID for the set of inputs/outputs that are connected from the
Number subpanel to the door.
This option is only displayed if there are inputs or outputs connected to the
selected subpanel.
Door The number that has been assigned to the door module by the wireless lock
Number configuration device.
Camera Select the external system that is connected to the camera.
Type
The Available window is populated with those cameras that fit this definition.
Click the Camera button beside this field to view live video from the camera. For
more information on the video viewer window, see Configuring and Viewing
Live Video Stream on page 267.
Available This window displays a list of cameras that have been configured in the system.
To connect a camera to the door, select the camera from the Available list, then
click to move it to the Members list.
Cameras tab (VertX®) 247

Feature Description
Members The window displays a list of cameras that are currently connected to the door.
To disconnect a camera from the door, select the camera from the Members list,
then click to move it to the Available list.
Search If you have more than 10 cameras, the Search feature may be displayed to help
you find the cameras you need.
In the Search field, enter the name of the camera you want to find, then click
Filter. You can narrow your search by selecting the Case-sensitive option. Click
Clear to restore the full list of available cameras.
Click this button to generate a PDF report on this door.

Report
Show Policy Click this link to view a PDF report indicating the current policy associated with
this door.
Events tab
For Mercury Security, VertX and Avigilon doors
View door events on the Events tab in Physical Access.
This page lists all the local and global events that can be triggered by this door. The Local Events table is only
listed when there are local events configured for the door.
Local Events
This table is only displayed if there are local events for the device.
Name The name of this event.
Click the name to edit the local event.

Event The event type.
Source Type The source of this event.
Has On/Off If the event toggles on or off.
Click Yes or No.

Masked If the event is masked.
Click to change status to (yes) or (no).
Events tab 248

Logged If the event is logged.

Show Video If a video is available for the event. If 'yes' is selected, the live video window
automatically pops up when the event is received.

Click this button to delete the local event.
Global Events
This table displays all the global events that are related to this type of device.
Source Type the source of this event.
Click Yes or No.




Create Local Click this button to create a version of this global event that only applies to the
specific device.
Doors - Creating Local Events for VertX® Doors

When you click the Create Local button from the Door Events page, the local version of the Event page is
displayed. This page is a copy of the global event that can be customized as a local event for this specific
door.
Note: Changes on this page do not affect the global event.
Make any changes as required.

Feature Description
Name The name of the event, which you can change if the name is not
Return The name used to identify that this event is over, or the return-to-normal (RTN) ) name of this
Name event, such as the door closing and locking after access has been granted, or after the
configured door open time has expired.
Event Type Specify the event type.
Only events types that have been defined in the system appear in the drop down list.
Source Type The device that is the source of the event.
Priority Specify the priority of this event.
The priority range is 1 - 999.
The Alarm Monitor displays alarms according to their priority. Priority 1 is the highest priority
and is always displayed at the top.
Alarm Select an alarm sound that is played when a new alarm occurs while you are monitoring the
Sound Alarms page.
Suppress Select a schedule when alarm events are not reported.
Time
Only schedules that have been defined in the system are listed.
Instructions Enter any instructions that may be required for handling this event.
The instructions are made available to the user on the Monitor screen.
Return Select the event type of the RTN event.
Event
Return Specify the priority of the RTN event.
Priority
Has on/off Indicates that this event has an RTN event associated with it.
Note: Adding return event information manually on this screen does not change the
setting of this checkbox. It is set only if the original event has an associated
RTN event defined for it.
Masked Check this box to indicate that this a masked event by default. This can be changed on the
Event List page.
Logged Check this box to log the event by default. This can be changed on the Event List page.
Note that if Event Type logging is turned on, then all Events of that Event Type are logged,
regardless of their individual logging configuration. If Event Type logging is turned off, then
the logging configuration of the specific Events of that Event type are adhered to.
Show Video Check this box to auto-launch video from the linked camera feed when the event occurs by
default. This can be changed on the Event List page.
This feature only works if video is enabled.

Feature Description
Two Person Check this box to specify that two people are required to acknowledge and clear this event.
Required To
Clear If this box is checked then the operator that executes the Clear cannot be the same operator
that executes the Acknowledge.
If the same operator attempts to clear the alarm, then nothing will happen.
Email Enter the email address of all the people who should be notified when this event occurs.
You can enter more than one email address separated by a comma.
Roles:
Available A list of all the roles that are available to you in the system.
To allow specific role to have access to view or edit this event, select a role from the Available
list then click to add the role to the Member list.
To move one or more roles to the Members window, click to select one role then Ctrl + click
to select a non-consecutive group of roles, or Shift + click to select a consecutive roles.
Members A list of all the roles that are able to view or edit this event.
If this event is associated with at least one role, then any user who does not have the selected
roles will not be able to view or edit the event.
Access tab (VertX® )
When you click the Access tab on the Door: Edit screen, the Access page is displayed. This page provides a
list of the access groups, roles and identities that have permission to edit or use this door.
Feature Description
Access The name of this access group. Click this link to edit the access group.
Group
Roles Lists the roles this access group is a member of.
Click the + or - symbol beside each role to show or hide the identities that are in the access
group through the role.
Identities Lists the users who are members of the access group.
Transactions tab (VertX® )
When you click the Transactions tab on the Door: Edit screen, the HID Transaction page is displayed.
This page allows you to review events and alarms that have occurred at this door. The table displays the
following information about each event:
Access tab (VertX® ) 251

Feature Description
Panel Date The date and time when the event occurred.
Priority The priority of the event. The highest priority is 1 and the lowest priority is 999.
Event The name of the event.
Last Name The last name of the person who generated the event.
First Name The first name of the person who generated the event.
Card Number The internal token number assigned to the person who generated the event.
Message This displays any messages that may be associated with the event.
Door: Edit page (Mercury Security)
When you select a Mercury Security door, the configurable options are arranged in tabs on the Door: Edit
page.
Parameters tab (Mercury Security)
When you click the Parameters tab on the Door Edit screen, the Parameters page is displayed. This page
allows you to define the door connections, door mode, schedule and processing attributes.
Feature Description

partition.
Door: Edit page (Mercury Security) 252

Feature Description
Lock Number A configured group of readers, inputs, and outputs that are connected from the subpanel to
or the door.
Door Number
For wired connections, the door number from the drop-down list.
For wireless locks only:

l The number programmed for the lock. For all locks except SimonsVoss, select the
number from the drop-down list.
l For SimonsVoss wireless locks, the hexadecimal address assigned by the
SmartIntego Tool. For more information, see Configuring SimonsVoss Wireless Locks
on page 191.
Access Type Select the Access Type from the drop down list. Any door that is created with this template
will be set to this type.
Use Single for a door with one reader on one side of the door only (single reader door). Use
Paired Primary and Paired Replica for a door with two readers, one on each side of the door
(paired reader door). Paired readers allow each side of a single physical door to act like a
separate door. This is particularly useful for anti-passback and mustering.
If you set the access type to either Paired Primary or Paired Replica, when you add a door
using this template, the Door Add page displays with the additional field, Linked Door. Use
this field to select the door with the reader on the other side. The linking between the doors
has to be done separately from adding the door.
The Access Type can also be configured in the Wiring Template. When configured in both
the Wiring Template, and the associated Door Template, the setting in the Wiring Template
takes precedence. It is recommended that you use the Wiring Template to efficiently create
linked paired doors.
Door Mode The entry mode for the door when the door controller is online and communicating with the
panel.
Select a Door Mode option from the drop down list.

Offline Mode The entry mode used for the door if the door controller is no longer communicating with the
panel. The Offline Door Mode is no longer supported if the door controller is connected to
an LP4502 panel that has replaced an HID VertX panel.
Select the Offline Mode option from the drop down list.

Feature Description
Lock Select how the interior lock button will function.
Function
l Privacy — When you press the interior lock button, the door will lock and the exterior
lock will not grant access to any token. To unlock, you must press the interior lock
button again or exit the room.
l Apartment — When you press the interior lock button, the door will lock but any valid
token will open the door. The door must be manually locked or it will stay unlocked.
l Classroom — Classroom/Storeroom. The lockset is normally secure. The inside lever
always allows free egress. Valid toggle credentials (i.e. a valid card that is swiped
twice within five seconds) on the exterior may be used to change to a passage or
secured status. Not to be used on mortise deadbolt. Interior push button not to be
used.
l Office — The lockset is normally secure. The inside lever always allows free egress.
An interior push-button on the inside housing may be used to select a passage or
secured status. Meets the need for lockdown function for safety and security. Valid
toggle credentials (i.e. a valid card that is swiped twice within five seconds) on the
exterior may also be used to change status. Not to be used on mortise deadbolt.
There is a Restore door action available on the Hardware Status page or Door Listing page
which resets the door's configuration values to their default value. If the door is in any mode
(Classroom, Office, Privacy, or Apartment) it will be 'restored' to the opposite status (e.g. if
the door is in Privacy mode then it is locked - if the Restore option is selected then the door
will return to its default mode, which is the mode set in the base configuration for the door).
Custom Select any additional door mode the door must support outside the Door Mode and Offline
Mode Mode options.
Schedule
system are listed.
Schedule
system are listed.
Schedule
system are listed.
Always Mask Check this box to specify that Door Forced Open alarms at this door are always masked.
Forced
Always Mask Check this box to specify that Door Held Open alarms at this door are always masked.
Held

Feature Description
Log Grants When this box is checked, the system logs an extra event as soon as there is a grant (that is,
Right Away before entry / no entry is determined). This event is not turned into a Access Control
Manager event. Check this box in order to initiate local I/O in the panel using the panel
triggers.
Certain customers may have a trigger they want to fire (to execute a macro) as soon as there
is a grant but before entry / no entry is determined.
Deny Duress Check this box to deny access to a user that indicates duress at a door.
Don't Pulse Check this box to disable the pulse of the door strike output when the request-to-exit button
Door Strike is pressed and can be used for a 'quiet' exit.
on REX
If this box is not checked, the output is pulsed.
Require Two Check this box to specify that two tokens are required to open this door. This enforces two-
Card Control person rule at a specified door.
Door Forced Check this box to enable the filter feature for door forced alarms.
Filter
There are instances when a door is either slow to close or is slammed shut and bounces
open for a few seconds. With this filter, the monitor allows three seconds for a door to close
before issuing an alarm.
Log All Check this box to log all access grant transactions as if the person used the door. If this box
Access as is not checked, the door determines if it was opened and will distinguish if the door was
Used
used or not used for grant.
Detailed Check this box to display the current position of the door position switch (DPOS) in the Door
Events State column of the door listing screen. When enabled the column will display “Open” when
the DPOS is in an open state and “Closed” when the DPOS is in a closed state.
Note: To properly report the Door State from the Door Position Switch, Detailed
Events must be enabled.
Typically, five to ten detailed transactions will be generated for each grant transactions.
During the normal course of operation, most guards don't need to see extensive reports on
events; however, after hours, it is often useful to see every detail.
Enable Check this box to enable cipher mode.
Cipher Mode
Use Shunt Check this box to enable the use of a shunt relay for this door.
Relay
Do Not Log Check this box to indicate that return-to-exit transactions do not get logged to the database.
Rex
Transactions

Feature Description
Report
Add New Click this button to add a new door.
Door
Report
Click this button to delete this door.
Click OK in the dialog box that displays to confirm the deletion. The door will be deleted and
you will be returned to the Doors list.
Operations tab (Mercury Security)
Edit door operations, including the door mode, door held pre-alarms, anti-passback and strike modes.

Number
subpanel.
Door The number that has been assigned to the door module by the wireless lock configuration
Number device.

APB Mode The Anti-Passback (APB) mode for the door.
For more information on Anti-Passback modes, see Anti-Passback Modes on page 215.

APB Delay Tthe number of seconds before another APB entry with this badge is allowed. Leave blank for
no delay, enter 0 to never allow an entry with this badge until it has been used at another
door.
Into Area The area that the user enters by passing through the door.
Out of area The area that the user exits by passing through the door.
PIN Timeout The number of seconds that a user is allowed to enter multiple PIN attempts before
generating “Deny Count Exceeded” event.
Note: If the PIN Timeout is set to 10 seconds and then the PIN Attempts is set to two,
this tells the system, if there are two bad PIN attempts within 10 seconds then
generate a Deny Count Exceeded event.
PIN The number of times a user can attempt to enter a PIN within the allotted PIN Timeout time
Attempts frame before an “Deny Count Exceeded” event is generated.
Strike Mode The strike mode.
l Cut short when open — the strike is deactivated when the door opens.
l Full strike time — the strike is deactivated when the strike timer expires.
l Turn off on close — the strike is deactivated when the door closes.
LED Mode The LED mode to specify how the reader LEDs are displayed.
For more information on LED modes, see LED Modes for Mercury Security on page 322.
Held Pre- The number of seconds a door can be held open before a pre-alarm is issued.
Alarm
Instead of generating an alarm, it sends a warning signal to the Access Control Manager host.
Access time The number of seconds the door remains unlocked after a card has been swiped.
when open
Standard The number of seconds the door remains unlocked after access has been granted.
Access time
If the door is not opened within this time, it will automatically lock.
Held Open The number of seconds the door can be held open before a Door Held Open event is
Time generated. See also the Held Pre-Alarm and Extended Held Open Time fields.
Extended The number of seconds the door remains unlocked after access has been granted to token
Access holders with extended access permissions.

Extended The number of seconds the door can be held open for users with extended access
Held Open permissions.
Time
This feature is useful for users that may require more time to enter a door. Use with the Held
Open Time field.
Card Identify the card formats that the door accepts by moving them into the Members column if
Formats they are not already listed.
All of the doors on a panel (and its subpanels) can collectively use at most 16 distinct card
formats, from the up to 128 card formats defined for the entire system.
When the door is created, the initial selection of card formats depends on:
l If there are 16 or less card formats defined in the system, all card formats are in the
Members column.
l If there are 17 or more card formats in the system, and:
o No card formats are selected for the panel assigned to the door, then the
Members column is empty. You must select the card formats accepted at the
door.
o Some door formats are selected for the panel assigned to the door, then those
formats are listed in the Members column. You can add more up to a total of 16.
l If the door is created using a door template, and the template specifies:
o No Change: The Members column is populated as described above.
o Blank: Any selection from the panel is ignored and the Members column is
empty. You must select the card formats accepted at the door.
o Assign: The contents of the Members column from the panel are replaced by
the contents of the Members column from the door template.
o Add: Card formats not in the Members column from the panel that are in the
Members column of the door template are added, up to a maximum of 16. If
there are more than 16, you will have to manually adjust the list.
o Remove: Any card formats in the Members column from the panel that are in
Members column of the door template are removed.
Simple Macros
Type Select a default macro that is triggered when the following conditions are met for this door.
Currently available macros include:
l Forced
l Held
l Pre-Alarm
Schedule Define when this macro can be triggered.
system are listed.
Op Type Select an operation type used by this macro.

Output Select an output that is activated by the 'Type' condition.
Commands Click Save Macro to save the settings for this canned macro. If this is a new macro, a new row
is automatically added below.
Click Remove Macro to delete a macro. This button only appears if the macro has been saved
in the system.
For more information, see Adding Simple Macros on page 211.
The following options are always active:
Create New Report Click this button to generate a PDF report on this door.
Transaction Report Click this button to generate a PDF transaction report on this door.
Hardware tab (Mercury Security)
When you click the Hardware tab at the Door Edit screen, the Mercury Hardware page is displayed. This
page allows you to connect and edit readers, inputs and outputs to the door.
Feature Description

Feature Description
Lock The number programmed for the lock. For all locks except SimonsVoss, this is a decimal
Number number. For SimonsVoss wireless locks, this is a hexadecimal number.
or
Door
Number
Unassign All Click this button to reset all of the values below and start over.
To edit one of the readers, inputs or outputs that are connected to the door, click beside
the hardware item:
l
If you click beside the Reader or Alternate Reader, the Reader Edit page is
displayed.
l
If you click beside the Door Position, REX #1 or Rex#2, the Input Edit page is
displayed.
l
If you click beside Strike, the Output Edit page is displayed.
Elevators
The following options are only listed if the door is an elevator.
Offline This identifies the floor that this door reader defaults to if communication between the
Access panel/subpanel and the door's reader goes offline. The door will automatically provide access
to one or more designated floors or doors, with or without card/code entry, if this condition
occurs.
Select the elevator access level from the drop down list.
Only the elevator levels that have been defined in the system are listed.
Facility This identifies the elevator access level that this elevator defaults to if facility code mode is in
Access effect.
Select the elevator access level you require from the drop down list.
Custom This identifies the elevator access level that this elevator defaults to when custom code mode
Access is in effect.
Select the elevator access level you require from the drop down list.
Elevator Select the output this elevator uses.
Outputs
Elevator Select the input this elevator uses.
Inputs

Feature Description
Report
Report
Reader Edit page (Mercury Security)

When you click the icon beside the Reader or Alternate Reader field on the Door Hardware page, the
Reader Edit page is displayed. This page allows you to define the options for this reader.
Feature Description
Name Enter the name of this reader.
Alt.name Enter an alternative name for this reader.
Location Enter a brief description of the location of this reader.
Reader Type Select the communication protocol used by the reader. The options include:
l OSDP
l F/2F.
l D1/D0 (Wiegand )
l Custom (Default)
Note: Custom enables all options for all reader types. Readers configured
with versions of the ACM software earlier than Release 5.10.4 are assigned
this reader type when the software is upgraded to ensure that the previous
settings are retained.

Feature Description
LED drive Select the LED drive mode for this reader. The options depend on the reader model and
how it is wired and include:
l None
l Gen 1 wire
l Reserved
l Dorado 780
l LCD
l OSDP
Format by Check this box to indicate that this reader supports the format by nibble.
nibble
Bidirectional Check this box to indicate that this reader can reader bidirectionally.
F/2F Decoding Check this box to indicate that this reader uses F or F2 decoding.
Inputs on Check this box to indicate that this reader provides one or more input ports for serial input
reader arrays.
Keypad decode Select the keypad decode/encryption method that is used by this reader. The options
include:
l MR20 8-bit tamper
l Hughes ID 4-bit
l Indala
Wiegand Check this box to indicate that this reader supports the Wiegand standard.
Trim Zero Bit Check this box to indicate that this reader supports the trim zero bit standard.
Protocol
Tip: If a reader with secured OSDP communication has to be replaced, it must be

replaced with a reader that supports OSDPv2. Communication between the
replacement reader and the controller must be secured, and the communication
between the controller and the other OSDPv2 readers must be resecured.

Feature Description

NCI magstripe Check this box to indicate that this reader supports the NCI standard for magnetic stripes.
Supervised Check this box to indicate that this reader is supervised (outfitted with detection devices)
partition.
Input Edit page (Mercury Security)

When you click the icon beside the Door Position or REX # field on the Door Hardware page, the Input
Edit page for the subpanel of the door is displayed. This page allows you to define the options for this input.
Feature Description
Input The name of the input point.
Address The read-only address of this point.
EOL Select the End of Line resistance of this input.
resistance
Only the EOL resistance that have been defined in the system are listed.
Input Edit page (Mercury Security) 263

Feature Description
Debounce1 From the drop down list, select the number of units this input should be allowed to debounce.
Each unit is approximately 16 ms.
Hold time Set the amount of time that the alarm will stay in alarm after returning to normal.
For example, if the input point goes into alarm, then restores, it will hold it in that alarm state for
1 to 15 seconds after it returns to normal before reporting the normal state.
Cameras Select the camera from the window that this input activates if it goes into alarm.
Only those cameras previously defined for this system appear in this window.
Policy
Output Edit page (Mercury Security)

When you click the icon beside the Strike field on the Door Hardware page, the Output Edit page for the
subpanel of the door is displayed. This page allows you to define the options for this output.
Feature Description
Output Enter a name for this output.
Address The read-only address for this output point.
Mode
is active.
Output Edit page (Mercury Security) 264

Feature Description
Show Click this button to display the policies associated with this output point.
Policy
Elev tab (Mercury Security)
When you click the Elev tab at the Door Edit screen, the Mercury Security Elev table displayed. This page
allows you to view elevator door details.
Feature Description
Name Name of the elevator door. If you click on the name it links back to the Parameters tab for the
door.
Inputs List of inputs for the related elevator input module.
Outputs List of outputs for the related elevator output module.
Cameras tab (Mercury Security)
When you click the Cameras tab on the Door: Edit screen, the Camera page is displayed. From this page, you
can assign specific cameras to record video of the selected door.
Feature Description
saving.
After you make your selection, new options may be displayed to define how the
door is connected to the panel.
Elev tab (Mercury Security) 265

Feature Description
This option is only displayed if there is a subpanel connected to the selected

main panel.

Lock Enter the number ID for the set of inputs/outputs that are connected from the
Number subpanel to the door.
This option is only displayed if there are inputs or outputs connected to the
selected subpanel.
Door The number that has been assigned to the door module by the wireless lock
Number configuration device.
Camera Select the external system that is connected to the camera.
Type
The Available window is populated with those cameras that fit this definition.
Click the Camera button beside this field to view live video from the camera. For
more information on the video viewer window, see Configuring and Viewing
Live Video Stream on the next page.
Available This window displays a list of cameras that have been configured in the system.
To connect a camera to the door, select the camera from the Available list, then
click to move it to the Members list.
Members The window displays a list of cameras that are currently connected to the door.
To disconnect a camera from the door, select the camera from the Members list,
then click to move it to the Available list.
Search If you have more than 10 cameras, the Search feature may be displayed to help
you find the cameras you need.
In the Search field, enter the name of the camera you want to find, then click
Filter. You can narrow your search by selecting the Case-sensitive option. Click
Clear to restore the full list of available cameras.
Click this button to generate a PDF report on this door.

Report
Show Policy Click this link to view a PDF report indicating the current policy associated with
this door.
Cameras tab (Mercury Security) 266

Configuring and Viewing Live Video Stream
Overview
You can view the LIve Video window in ACM, if configured.
Typically, the Live Video window includes:
1 Camera Displays controls for viewing the related camera video, including switching from live to
Controls recorded video, pan-tilt-zoom (PTZ) controls for PTZ cameras and changing the video
Tool Bar
display layout.
2 Camera List Displays all the cameras that are linked to the event. Click the name of a camera to display
the video. Use one of the multi-video layouts to display more than one camera at a time.
3 Image Displays the video stream from the connected cameras. In the top-right corner, you can
Panel minimize and maximize the display or close the video.
Note: The window may look different and have different controls depending on the external camera
system that is connected to the ACM system.
Configuring Live Video Stream

To configure live video stream from connected cameras:
1. Selects Physical Access > Doors.

Configuring and Viewing Live Video Stream 267

3. On the Cameras tab, select:
Camera Type The external system that is connected to the camera: Network, Exacq,
Avigilon or Milestone. Move the cameras to the Members column.

5. Click the Camera button to view live video from the camera.
Interlocks tab (Mercury Security Doors)
When you click the Interlocks tab on the Door: Edit screen, the Interlocks list is displayed. This page lists all
the Interlocks that have been added to the system.
Feature Description
Name The name of the interlock.
Click the name to edit the interlock.

Enabled This field indicates if the interlock is enabled. Select either Yes or No.
Schedule This field indicates what schedule is used to define when the interlock is active.
Delete Click to delete this interlock from the list.
Add Interlock Click this button to add a new interlock to the system.
Interlocks Add page

When you click Add Interlock from the Interlocks list, the Interlocks Add page is displayed. Depending on
what settings you choose, some of the listed options may not be displayed.
Feature Description
Name Identifies the interlock.
Enter a unique name for the interlock.

Enabled Check this box to specify that the interlock is enabled and active.
system are listed.
Source Identifies the source type of the interlock.
Type
Select the source type from the drop down list.
Source Identifies the source of the interlock.
Select the source from the drop down list. Options in this drop down list will vary depending on
the source type specified.
Interlocks tab (Mercury Security Doors) 268

Feature Description
Event Type Identifies the event type the interlock is associated with.
Select the Event Type from the drop down list. The options change to match the selected
source option.
Only those Event Types currently defined by the system appear in this list.
Event Select the event that will trigger the interlock.
Events appearing in this list vary depending on the event and source specified. For more on
this, refer to Event Types - Introduction.
Interlocks with:
Type Select the type of component that triggers this interlock.
Subpanel If applicable, select from the drop down list the subpanel where this interlock is triggered.
Target From the drop down list, select the target that is triggered by this interlock.
Command to run:
Command This identifies the command script to be run.
Select an existing command from the drop down list.
Only those commands previously defined by the system appear in this list.
Function If applicable, select from the drop down list the function to be run.
Arg Text If the command requires an argument, enter the required argument in this text box.
This option is not displayed if an argument is not required.

Interlock Edit page

When you click the name of an interlock from the Interlocks list, the Interlock Edit page for the door is
displayed.
Feature Description
Name Identifies the interlock.
Enter a unique name for the interlock.

Enabled Check this box to specify that the interlock is enabled and active.
system are listed.
Source Identifies the source type of the interlock.
Type
Select the source type from the drop down list.
Interlock Edit page 269

Feature Description
Source Identifies the source of the interlock.
Select the source from the drop down list. Options in this drop down list will vary depending on
the source type specified.
Event Type Identifies the event type the interlock is associated with.
Select the Event Type from the drop down list. The options change to match the selected
source option.
Only those Event Types currently defined by the system appear in this list.
Event Select the event that will trigger the interlock.
Events appearing in this list vary depending on the event and source specified. For more on
this, refer to Event Types - Introduction.
Interlocks with:
Type Select the type of component that triggers this interlock.
Subpanel If applicable, select from the drop down list the subpanel where this interlock is triggered.
Target From the drop down list, select the target that is triggered by this interlock.
Command to run:
Command This identifies the command script to be run.
Select an existing command from the drop down list.
Only those commands previously defined by the system appear in this list.
Function If applicable, select from the drop down list the function to be run.
Arg Text If the command requires an argument, enter the required argument in this text box.
This option is not displayed if an argument is not required.

Events tab
For Mercury Security, VertX and Avigilon doors
View door events on the Events tab in Physical Access.
This page lists all the local and global events that can be triggered by this door. The Local Events table is only
listed when there are local events configured for the door.
Local Events
This table is only displayed if there are local events for the device.
Click the name to edit the local event.
Events tab 270

Click Yes or No.




Click this button to delete the local event.
Global Events
This table displays all the global events that are related to this type of device.
Source Type the source of this event.
Click Yes or No.




Create Local Click this button to create a version of this global event that only applies to the
specific device.
Doors - Creating Local Events for Mercury Security Doors

When you click the Create Local button from the Door Events page, the local version of the Event page is
displayed. This page is a copy of the global event that can be customized as a local event for this specific

door.
Note: Changes on this page do not affect the global event.
Make any changes as required.
Feature Description
Name The name of the event, which you can change if the name is not
Return The name used to identify that this event is over, or the return-to-normal (RTN) ) name of this
Name event, such as the door closing and locking after access has been granted, or after the
configured door open time has expired.
Event Type Specify the event type.
Only events types that have been defined in the system appear in the drop down list.
Source Type The device that is the source of the event.
Priority Specify the priority of this event.
The Alarm Monitor displays alarms according to their priority. Priority 1 is the highest priority
and is always displayed at the top.
Alarm Select an alarm sound that is played when a new alarm occurs while you are monitoring the
Sound Alarms page.
Suppress Select a schedule when alarm events are not reported.
Time
Only schedules that have been defined in the system are listed.
Instructions Enter any instructions that may be required for handling this event.
The instructions are made available to the user on the Monitor screen.
Return Select the event type of the RTN event.
Event
Return Specify the priority of the RTN event.
Priority
Has on/off Indicates that this event has an RTN event associated with it.
Note: Adding return event information manually on this screen does not change the
setting of this checkbox. It is set only if the original event has an associated
RTN event defined for it.
Masked Check this box to indicate that this a masked event by default. This can be changed on the
Event List page.

Feature Description
Logged Check this box to log the event by default. This can be changed on the Event List page.
Note that if Event Type logging is turned on, then all Events of that Event Type are logged,
regardless of their individual logging configuration. If Event Type logging is turned off, then
the logging configuration of the specific Events of that Event type are adhered to.
Show Video Check this box to auto-launch video from the linked camera feed when the event occurs by
default. This can be changed on the Event List page.
This feature only works if video is enabled.

Two Person Check this box to specify that two people are required to acknowledge and clear this event.
Required To
Clear If this box is checked then the operator that executes the Clear cannot be the same operator
that executes the Acknowledge.
If the same operator attempts to clear the alarm, then nothing will happen.
Email Enter the email address of all the people who should be notified when this event occurs.
You can enter more than one email address separated by a comma.
Roles:
Available A list of all the roles that are available to you in the system.
To allow specific role to have access to view or edit this event, select a role from the Available
list then click to add the role to the Member list.
To move one or more roles to the Members window, click to select one role then Ctrl + click
to select a non-consecutive group of roles, or Shift + click to select a consecutive roles.
Members A list of all the roles that are able to view or edit this event.
If this event is associated with at least one role, then any user who does not have the selected
roles will not be able to view or edit the event.
Access tab (Mercury Security)
When you click the Access tab on the Edit screen, the Access page is displayed. This page provides a list of
the access groups, roles and identities that have permission to edit or use this door.
Feature Description
Access The name of this access group. Click this link to edit the access group.
Group
Roles Lists the roles this access group is a member of.
Click the + or - symbol beside each role to show or hide the identities that are in the access
group through the role.
Identities Lists the users who are members of the access group.
Access tab (Mercury Security) 273

Transactions tab (Mercury Security)
When you click the Transactions tab on the Door: Edit screen, the list of transactions for the door is
displayed.
This page allows you to review events and alarms that have occurred at this door. The table displays the
following information about each event:
Feature Description
Priority The priority of the event. The highest priority is 1 and the lowest priority is 999.
Message This displays any messages that may be associated with the event.
Doors - Access page

The door access page is found on every version of the door. The access page for each manufacturer is:
l Doors - Mercury Security Door Access
l Doors - HID VertX® Access
Viewing Door Events, Access Groups and Transactions

To view access information, events and alarms generated for doors:

For more information about door state and door mode, see Adding Doors on page 225.
For event descriptions, see Troubleshooting on page 515.
3. Click the Events tab to view all the global events that are related to the device:
Name The name of the event.
Event The type of event.
Click Yes or No.

Transactions tab (Mercury Security) 274

Tip: You can also view events using Monitor > Events. For more information, see
Monitoring Events on page 28.
4. Click the Access tab to view the access groups, roles and identities that have permission to edit or use
the door (not applicable to RU and RM exit devices):
Access Groups The name of the access group. Click the link to edit the access group.
Roles The roles that the access group is a member of. Click the + or - icon next to
each role to show or hide the identities in the access group through the role.
Identities The users who are members of the access group.
Priority The priority of the event. The highest priority is 1 and the lowest priority is
999.
Message Any messages that are associated with the event.
For more information, see Managing Door Access on page 112.
5. Click the Transactions tab to view the events and alarms that have occurred at the door:
999.
For more information, see Configuring Roles on page 87.
Viewing Door Events, Access Groups and Transactions 275

Configuring ACM Verify™ Virtual Doors
The ACM Verify function allows authorized ACM system users to connect any web browser-enabled mobile
device to the ACM system and use the device as a virtual station for a door configured as an ACM Verify
Station. A virtual station controls access to places that do not have access-controlled doors or locks.
Examples are outdoor mustering stations for fire drills, a bus for school trips or a work area in an open-plan
office. People entering a place controlled by a virtual station must verify they are authorized to access the
area by entering their PIN code on the device. Typically, wireless web browser-enabled devices, such as
mobile phones and tablets, are used as virtual stations although any device with a web-browser can be used.
ACM system users assigned the ACM Verify Administrator role can add and configure doors as ACM Verify
stations, and administer the virtual stations and paired devices in the ACM system. They can also administer
other doors.
ACM system users assigned the ACM Verify User role can access the ACM Verify functionality on their mobile
devices that let the devices act as virtual stations, and can pair their mobile device to the ACM system.
Adding an ACM Verify Door

To set up a door as an ACM Verify Station
1. Add a new door from the Doors listing panel, and complete the Name, Alt Name, Location and
Appliance fields.
2. In the Vendor field, select Avigilon. The Station Type field is automatically set as ACM Verify.
3. Configure the station as either Managed or UnManaged,
l A managed station prompts the operator of the virtual station to verify that the person who
enters a PIN code is using a valid PIN code and it also displays a picture and other information
for additional verification.
l An unmanaged station only verifies whether the PIN code the person entered is a valid PIN
code that has access to the virtual station.
4. Set the timezone for the events reported by the virtual station if it needs to be different than the
timezone used by the appliance.
5. Specify an area if you want the virtual station to act as an entrance to the area.
If the virtual station is configured with an area, a valid PIN code entry at the station moves the identity
associated with the PIN code into the area. If it also configured as a managed virtual station, the user
can then view a list of the identities with photos that are in the area.
6. Configure Station Authorization as Paired or Login
l A paired station is secured by pairing a specific device to the server so that only an
ACM software user in possession of the paired device and one of the required roles, or their
equivalent delegation set can access the ACM Verify station.
l A login station is secured only by ACM login credentials and so that any ACM system user with
the required roles, or their equivalent delegation set, can access the ACM Verify station from
any device.
Configuring ACM Verify™ Virtual Doors 276

7. If Station Authorization is set to Paired, two lists are displayed. The Available list displays devices
paired to the ACM appliance but not assigned to this door. The Members list displays the paired
devices assigned to this door. Use the and keys to move devices between the two lists.
8. To pair a new device to the ACM appliance, click Add Paired Device. For more information, see Paired
Devices on the next page.
9. Click to save the door. The page refreshes and displays the information you entered on
Parameters tab for the door.
Parameters tab (Avigilon)

After you save a new door as an ACM Verify Station for the first time, the screen refreshes and displays the
initial Parameters tab for the door.
When you click the Parameters tab on the Door Edit screen, the Parameters page is displayed. This page
allows you to define the door connections, door mode, schedule and processing attributes.
Feature Description
Vendor The name of the door manufacturer. Select Avigilon for an ACM Verify Station.
Station Type Displays ACM Verify as the type of station used on the connected devices. A device
that uses this type of station is called a virtual station.
Managed or Select if you want the ACM Verify Station managed or not.
UnManaged
l A managed station requires the virtual station user to grant or deny access to
the person entering a valid PIN code. It also displays the name and picture of
the user for verification.
l An unmanaged station automatically grants or denies access and does not
provide any additional information when a PIN code is entered.
Geographic Select the time zone where the ACM Verify device is used if it is different from the
Timezone ACM appliance value.
Into Area Select the area where the ACM Verify device is used to monitor access. Select the
Don't Care option if the ACM Verify reader is not used to control access to a specific
area. You must specify an area if you want the virtual station to list all the people who
have entered the area.
Parameters tab (Avigilon) 277

Feature Description
Station Select Login if the user logs in to the ACM software using the ACM URL from the
Authentication browser on the ACM Verify device. Select Paired if the ACM Verify device is paired to
ACM software.
Tip: If the authentication type is Paired, the Door Add page re-displays with
the Add Paired Device button.
Available Lists the available ACM Verify devices that have been paired to the ACM system.
Members Lists the paired ACM Verify devices that are assigned to this station.
Click to move a paired device from the Available list to the Members list.
Click to move a paired device from the Members list to the Available list.
Add Paired Device Click to add a new paired device. See Add Paired Device for more information.
Paired Devices
Pairing devices to the ACM appliance ensures that access to ACM Verify Stations is restricted to authorized
devices.
Pairing must be completed by both the ACM administrator and the user of the connected device. The device
user must be an authorized ACM user with the ACM Verify User role or equivalent at a minimum. The pairing
persists as long as the cookie used for the pairing exists. See Precautions for Paired ACM Verify Stations on
the next page
CAUTION — In a failover deployment of the ACM system, pair the device to both the main server and the
failover server. When a failover occurs, the ACM operator must restore the pairings for all ACM Verify devices
to the failover server, and repeat the process when the main server is back in service.
Prerequisites for Pairing Devices

Before pairing a device:
1. The ACM operator provides the user with the IP address or hostname of the ACM appliance. Do not
provide both. Use one format for the address of the ACM appliance for all pairings.
The ACM appliance IP address or hostname is visible in the web browser's navigation bar from any
ACM client window.
2. The device user must have the web browser open on their device.
The pairing must be completed within ten minutes of the ACM operator generating the PIN for pairing.
Although the user's device is paired to the ACM appliance, the virtual stations configured for paired
Paired Devices 278

authentication are only active for a device when installed and the user's device is in the Members column for
that station.
A device can be paired to only one active ACM appliance. If a failover ACM appliance is configured, pair all
ACM Verify devices to both servers. If a fail-over occurs, you must reassign devices to the ACM Verify stations
on the fail-over server while it is active, and reassign them back to the main server after it is returned to
service. Pairing devices in advance will make this task much more efficient.
To pair a device, see Pairing a Device below.
Precautions for Paired ACM Verify Stations

A paired device uses cookies to connect to ACM. Take the following precautions:
l Always use the same device and browser to connect. Cookies are not shared between different
devices or browsers.
l Do not pair the device while in private mode on your browser. Cookies are not saved when you are in
private mode.
l Cookies are lost if you:
o Clean up history and cookies in your browser
o Pair the device using an IP address and then use the host name to access ACM.
If a device browser loses the cookie, it cannot access ACM Verify and you must pair the device again. Before
the device can be paired again, the previous pairing must be deleted from the ACM appliance.
Pairing a Device
A device needs to be paired to the ACM appliance to access the ACM Verify function. A device can be paired
to the ACM appliance at any time, or when adding a door as an ACM Verify Station.
To pair a device:
1. The ACM operator and the device user agree on the name to use for the device.
2. The ACM operator provides the ACM URL or hostname to the device user.
The ACM appliance IP address or hostname is visible in the web browser's navigation bar from any
ACM client window.
3. The ACM operator navigates to the Add Paired Device panel.
a. If the operator is:
l
Pairing a device only, click > Paired Devices.
l Adding a new door as an ACM Verify Station, click on Add Paired Device in the
Door: Add New screen. For more information, see Parameters tab (Avigilon) on
page 277.
b. Enter the name to identify the device, such as "User Name's Smartphone" and click Generate PIN.
Provide the 4-digit PIN to the device user. The PIN is valid for 10 minutes.
Precautions for Paired ACM Verify Stations 279

4. The device user:
a. Enters the URL to the ACM appliance in the web browser on their device in the format:
<ipAddress>/doors/virtual
The ACM client log in screen is displayed.
For example, if the ACM URL is 192.168.0.125, the device user enters:
//192.168.0.125/doors/virtual
b. Logs in to the ACM Verify client using their username and password.
c. Clicks on the and then clicks >Paired device.

The user is prompted to enter the name of their device and the 4-digit PIN provided by the
ACM operator.
5. The ACM operator waits until the device is paired and then clicks .
To remove a pairing from the ACM appliance, click for the device.
Using ACM Verify

You can use a web browser-enabled device, such as a smartphone or tablet, to connect to ACM, access the
ACM Verify Station functionality and use the device as a virtual station. Virtual stations control access to
places that do not have access-controlled doors or locks. Examples are outdoor mustering stations for fire
drills, a bus for school trips or a work area in an open-plan office. People entering a place controlled by a
virtual station must verify they are authorized to access the area by entering their PIN code on the device.
You must be an ACM user to use ACM Verify on your device. To set up a device for ACM Verify, see
Configuring ACM Verify™ Virtual Doors on page 276.
To use ACM Verify:
1. Use the URL or web link in your web browser provided when your device was set up to launch
ACM Verify from your web browser.
Note: If your device is paired to the ACM user, always use the same browser.
2. If the Access Control Manager login page is displayed, enter your ACM Login and Password.
ACM Verify is displayed and the Virtual Stations you can use are listed.
3. Tap to open a virtual station.
A prompt to enter PIN codes appears.
4. Anyone wanting to access the location you are controlling must enter a PIN code on your device and
tap Submit.
l If the virtual station is managed, the user's picture and name displays, and you are prompted to
grant or deny access.
l If the virtual station is unmanaged, access is granted if the code is valid.
l If the PIN code is incorrect or invalid, a message that access is not granted displays.
Using ACM Verify 280

5. If an area is specified for the virtual station, the number of identities verified is also displayed, and you
can display a list of all the identities who have entered the area by clicking on the Identities Verified:
link.
6. To switch to a different virtual station, tap the back button and tap another virtual station.
For example, if you want to have identities enter and exit an area using their PIN codes you need two
virtual stations. One station is configured for the area you want identities to enter into, and the second
station is configured for the area you want identities to exit into. Both virtual stations are accessible on
the same device.
To log out of ACM Verify, tap and tap Log Out.
IP/PoE Mode Installation

Add a Schlage ENGAGE™ site in ACM to configure and manage groups of Schlage® IP devices through the
Schlage ENGAGE™ Gateway that supports IP/PoE (Power over Ethernet) mode of operation. For more
information, see:
l System Overview below
l Supported Devices on the next page
l Step 1: Creating an ENGAGE Site on page 293
l Step 2: Configuring Gateways for IP Wireless Locks on page 283
l Step 3: Configuring IP Wireless Devices on page 284
l Step 4: Configuring Locking Operation on page 286
Note: ACM supports only the Schalge and Von Duprin® devices in Supported Devices on the next
page in IP/PoE mode. Other device models might not operate correctly.
Tip: If you are installing Schlage Wi-Fi locks, see Offline Wi-Fi Mode Installation on page 292.
System Overview
Figure 5: ACM System organization for Allegion Schlage® IP/PoE wireless locks
IP/PoE Mode Installation 281

1 ACM applications, including identity (badging), administration, video surveillance and alarm
monitoring
2 ACM appliance
3 Encrypted connection provided by the Schalge ENGAGE site that the ENGAGE gateway is
commissioned to (the site is created in ACM)
4 ENGAGE gateway panel that supports up to 10 IP-connected devices in any combination using IP
(410-IP)/PoE (Power over Ethernet) mode of operation, or ASSA ABLOY Aperio IP hub panel that
supports up to 64 IP-connected devices.
5 Schlage IP wireless locks including mobile-enabled and Allegion Von Duprin remote undogging
(RU) and remote monitoring (RM) exit devices
Supported Devices
Ensure the physical configuration of the device matches the configuration in the ACM application as follows.
Note: Up to 10 IP-connected devices—in any combination—are supported by a single gateway.

System
Linked Device
Up to 10 wireless locks to each gateway Up to 1,024 panels to - ENGAGE

an ACM appliance site
Up to 5000 credentials to each lock
An ENGAGE gateway
Up to 10 mobile-enabled wireless locks to each
is a panel.
gateway
Mobile credentials are not supported.
Allegion Schlage Control™ smart locks
Up to 10 wireless locks to each gateway Up to 1,024 panels to - ENGAGE

Up to 500 credentials to each device
An ENGAGE gateway
is a panel.
Allegion Von Duprin remote undogging (RU) and remote monitoring (RM) devices
Up to 10 RU or RM devices to each gateway Up to 1,024 panels to - ENGAGE

Single door configuration only.
An ENGAGE gateway
Credentials are not applicable.
is a panel.

Step 1: Creating an ENGAGE Site
Note: Before you begin, obtain the ENGAGE login account information. For more information, see
Schlage documentation.
To create an ENGAGE site in ACM:
1. Select >External Systems.

2. Click the Schlage tab.
3. Click the Add Schalge Site button.
4. Enter:
Site Name Up to 50 alphanumeric characters for the name of the site which represents
the logical group of ENGAGE devices.
Note: Always create an ENGAGE site in the ACM application. A site

that is already created in the ENGAGE application cannot be reused
in the ACM application. In addition, a site cannot be used by more
than one ACM appliance.
ENGAGE User The login name of the ENGAGE account.

ENGAGE Password The password of the ENGAGE account.
After you add the ENGAGE site for an IP-connected lock, see Step 2: Configuring Gateways for IP Wireless
Locks below.
After you add the ENGAGE site for an offline Wi-Fi lock, see Step 2: Setting Up Communication to Offline Wi-
Fi Locks on page 293.
Step 2: Configuring Gateways for IP Wireless Locks

For Schlage gateways that control Schlage IP wireless devices.
To configure a Schlage gateway:
1. Ensure gateway communication to the ACM appliance is enabled:

a. Select > Appliance and the Access tab.
b. Select the Installed checkbox next to the Schalge vendor.
c. Click .
d. Contact your support representative to enable the Debug checkbox, if needed.

3. Click Add Panel.
4. Enter:
Name Up to 50 characters for the name of the gateway.
Location
partition.
Appliance The ACM appliance the device is connected to.
Vendor Select Schlage.
Model: ENGAGE Gateway - IP.
Site : The name of the site that the gateway is commissioned to.
Timeszone : The local timezone where the gateway is installed.
5. Click to save your changes. The entries are displayed on the Configure tab.
6. Click the Host tab.
7. Enter:
IP Address The IP address of the gateway or hostname of the device.
saving.
After gateway communication is enabled, any devices linked to the gateway will be displayed in the following
places:
l On the Status tab of the abovementioned panel page, where the Link Name, S/N (serial number),
Status (of the connection to each device) and Credential Capacity (for each device that supports
credentials) columns are displayed.
l In the Linked Devices field on the door page.
For more information, see Step 3: Configuring IP Wireless Devices below.
Step 3: Configuring IP Wireless Devices

For Schlage IP wireless devices.

Note: Before you begin, ensure the devices have been installed according to the vendor's
installation instructions. If you are not ready to physically install the devices, you can predefine doors
as described in this section without specifying the devices.
To configure a wireless device:
1. Ensure device communication is supported in ACM software:

l Add the ENGAGE site in ACM, as described in Step 1: Creating an ENGAGE Site on page 293.
l Add a gateway for Schlage IP wireless devices, as described in Step 2: Configuring Gateways
for IP Wireless Locks on page 283.
2. On the Panel: Status or Doors list page, do one of the following:
l Click Add Door to create a new door for each new device. Click Cancel in the Templates
dialog.
l Select the name of a device linked to the gateway.

3. On the Parameters tab, select:
Vendor Schalge.
Panel The gateway.
Lock Model The lock model. See Supported Devices on page 282.
Linked Device The ID or name of each externally commissioned IP wireless or offline Wi-Fi device.
For more information, refer to the commissioning process in vendor
documentation.
Tip: IP wireless device only. You can save the door without a linked device
and enter it as a post-installation step.
Access Type IP-connected wireless device only. Whether access is located on one or both sides
of the door. Default is Single, which cannot be changed. For more information, see
Access Types on page 215.
Door Mode IP-connected wireless device only. The entry mode for the door when the gateway
is online and communicating with the device. For information about the Unlocked,
Locked No Access and Card Only options, see Door Modes on page 213.
Door modes are device-specific and not applicable to Control locks.
Lock Function None is the default. For more information about the Privacy, Apartment and Office
lock functions, see Adding Doors on page 225
Lock function is device-specific.
Always Mask The Door Forced Open alarms at the door are always masked.
Forced
Always Mask The Door Held Open alarms at the door are always masked.
Held
Door For more information about the Log Grants Right Away, Log All Access as Used
Processing and Detailed Events door processing attributes, see Adding Doors on page 225.
Attributes
Not applicable to Control locks.
After you add a new door, customize other door settings to meet your system requirements. For more
information, see Step 4: Configuring Locking Operation below.
Step 4: Configuring Locking Operation

For Schlage IP wireless locks that do not support in/out readers, and RU or RM devices.
To configure locking operation:
1. Edit device settings as required:

(The Name through Installed fields can be edited on the Parameters, Operations and Cameras tabs.
For these field descriptions, see Adding Doors on page 225.)

On the Operations tab, select:
Into Area The area that the badge holder enters by passing through the door.
Example: Laboratory
For more information, see Adding Areas on page 319.
Out of area The area that the badge holder leaves by passing through the door.
Example: Lobby
Standard Access Time The seconds the door remains unlocked after access has been granted.
Held Open Time The seconds the door can be held open before a Door Held Open event is
generated.
Extended Access The seconds the door remains unlocked after access has been granted to
token holders with extended access permissions.
Card Formats
Important: To maximize the security and capacity of your locks,

only move the card formats that are actually used to the Members
column.
Make sure the Facility Code in Physical Access > Card Formats matches the
facility code on the card. This ensures credential matching occurs during
card operation on the door that uses the card format. For more information,
see Configuring Card Formats on page 323.
Note: The Suppress facility check checkbox must not be used.

Allow time for the device configuration to take effect.
Important: Check the credential capacity of the door on the Panel: Status tab before you add
more credentials to the lock.
3. Does not apply to Control locks. Add the device to an access group for assignment to identities and
their tokens.
On the Panel: Status tab, the Credential Capacity count for the door is updated.
Applying Door Commands

To control your Schlage IP wireless device, apply the following door commands:
Applying Door Commands 287

2. Enter a checkmark in the All column next to the device.
3. For the Control lock:
l
To grant access to the deadbolt on the Control lock, select Door Action > Grant (only this
door action is supported). Momentarily grants access to the door to permit a single-time entry.
Ignore the Unknown door state and door mode.
The deadbolt is enabled for you to lock it (extend the bolt) or unlock it (retract the bolt) on the
outside.
4. For the RU device:
l
To unlock the RU device in Closed door state and Locked No Access door mode, select
Door Action > Unlock (only this door action and the Locked No Access door action are
supported).
The door mode changes to Locked No Access (Unlocked on Next Exit). The door is locked on
the outside and the inside. The remains displayed.
When a person presses the push bar, the door is Unlocked. While the door is unlocked,
you will see the Open and Closed states as the door is opened and closed.
l
To lock the RU device in Closed door state and Unlocked door mode, select Door Action
> Locked No Access.
The door is instantly locked.
For more information about controlling doors, see Controlling Doors on page 201. You can also apply door
commands to RU devices in maps. For more information, see Maps - Introduction on page 450.
Door Scheduling By Batch Job (Specification)

To create a schedule for locking and unlocking doors, use a batch job specification. For more information,
see Scheduling Batch Jobs on page 478 and Setting Batch Door Modes on page 484.
Viewing Gateway or Offline Wi-Fi Lock Status

For IP/PoE mode and offline Wi-Fi mode ENGAGE gateways.
1. Select Physical Access > Panels to view gateways or offline Wi-Fi locks.
2. View the Device Status in the first column. For more information, see Device Status on page 47.
Ignore the Cards in Use column.
For another way of accessing device status, see Using the Dashboard on page 44.
3. Select the panel.
4. View on the Status tab:
The communications status between the panel and ACM appliance. The current
status of the device is indicated by the background color. For more information,
see Status Colors on page 46.

Clock Resynchronizes the clock time of the gateway or offline Wi-Fi lock when clicked.
See Updating Panel Time on page 179.
Last comms The date and time of the last message that was communicated between the panel
and the ACM appliance.
Offline Wi-Fi lock only. The date and time of the last communication between the
lock and the ACM appliance.
Next comms Offline Wi-Fi lock only. The date and time of the next communication between the
Firmware The gateway or offline Wi-Fi lock firmware version. See Updating Panel Firmware
on page 179.
Note: ControlBM locks are displayed in the ControlBM Locks list only if
the gateway firmware is updated to version 1.62.04 or newer. If the
gateway firmware is not updated, the ControlBM locks are displayed in
the Control Locks list. Lock functionality still works with the exception of
the Update Firmware capability.
Offline Wi-Fi lock only. Hover your mouse over the firmware version to view more
details.
Viewing Door Status and Events

To view access information, events and alarms generated for doors:

For more information about door state and door mode, see Adding Doors on page 225.
For event descriptions, see Troubleshooting on page 515.
3. Click the Events tab to view all the global events that are related to the device:
Name The name of the event.
Event The type of event.
Click Yes or No.


Tip: You can also view events using Monitor > Events. For more information, see
Monitoring Events on page 28.
4. Click the Access tab to view the access groups, roles and identities that have permission to edit or use
the door (not applicable to RU and RM exit devices):
999.
For more information, see Managing Door Access on page 112.
5. Click the Transactions tab to view the events and alarms that have occurred at the door:
999.

For more information, see Configuring Roles on page 87.
Updating Gateway and Offline Wi-Fi Lock Firmware

For Schalge IP wireless locks and offline Wi-Fi locks.
Note: Ensure the ENGAGE gateway and ACM have access to the internet.
To apply firmware updates from lock manufacturers:
1. On the Panels list, select the gateway.

2. For the device type, click Update Firmware. Ignore the blue Firmware button, which is used for
updating gateway firmware.
Note: To update the firmware of ControlBM locks, gateway firmware version 1.62.04 or
newer, is required.
3. Do one of the following:

l
Click next to the firmware version that is available in the system to apply it to the group of
locks.
l Select a new firmware version as follows:
a. Click Open Advanced Options.
b. Enter your ENGAGE login information in ENGAGE User and ENGAGE Password, and
click Get Available Firmware. The firmware versions are downloaded.
CAUTION — This advanced procedure must be performed only by qualified personnel
with the requisite knowledge of the firmware versions and the ACM system.
c. Click next to the firmware file to apply it.
Note: For offline Wi-Fi locks, the firmware version update does not occur immediately. It occurs at
the next communication interval to the ACM application. Each offline Wi-Fi lock has its own interval
setting which is dependent on the timing of its initial communication with the ACM system.
Generating Reports
For Schlage IP wireless devices.
You can generate the Door Configuration Report and Transaction Report by selecting Reports.
Updating Gateway and Offline Wi-Fi Lock Firmware 291

Offline Wi-Fi Mode Installation
Add a Schlage ENGAGE™ site in ACM to configure and manage groups of Allegion Schlage® Wi-Fi locks. For
more information, see:
l Supported Devices below
l Step 1: Creating an ENGAGE Site on the next page
l Step 2: Setting Up Communication to Offline Wi-Fi Locks on the next page
l Step 3: Configuring Offline Wi-Fi Lock Operation on page 294
Note: ACM supports only the Schalge devices in Supported Devices below in offline Wi-Fi
mode. Other device models might not operate correctly.
Note: ACM appliance failover is not supported for offline Wi-Fi locks due to the connection method.
Offline Wi-Fi locks initiate calls to the ACM appliance, as opposed to the ACM appliance initiating the
connection for wired locks. However, manual failover to a standby ACM appliance is supported. To
enable automated failover for offline Wi-Fi locks, organizations may choose to follow standard
practices for network DNS failover in their infrastructure. The details of configuring automated
failover depend on individual network architectures.
Supported Devices
Ensure the physical configuration of the device matches the configuration in the ACM application as follows.

System
Linked Device
Up to 2048 wireless locks, depending on Same as doors - ENGAGE site

the ACM appliance or license — LE model
Up to 2048 mobile-enabled wireless locks, Same as doors - ENGAGE site

depending on the ACM appliance or license
— LE version B (LEB ) and NDE version B
(NDEB) models
Mobile credentials are not supported.
Offline Wi-Fi Mode Installation 292

Step 1: Creating an ENGAGE Site
Note: Before you begin, obtain the ENGAGE login account information. For more information, see
Schlage documentation.
To create an ENGAGE site in ACM:

3. Click the Add Schalge Site button.
4. Enter:
the logical group of ENGAGE devices.
Note: Always create an ENGAGE site in the ACM application. A site

that is already created in the ENGAGE application cannot be reused
in the ACM application. In addition, a site cannot be used by more
than one ACM appliance.
ENGAGE User The login name of the ENGAGE account.

ENGAGE Password The password of the ENGAGE account.
After you add the ENGAGE site for an IP-connected lock, see Step 2: Configuring Gateways for IP Wireless
Locks on page 283.
After you add the ENGAGE site for an offline Wi-Fi lock, see Step 2: Setting Up Communication to Offline Wi-
Fi Locks below.
Step 2: Setting Up Communication to Offline Wi-Fi Locks

To set up communication between the offline Wi-Fi locks and the ACM appliance:
1. On the External Systems page, click the Schlage tab and enter:

Site for Schlage WiFi The ENGAGE site that ACM will use to establish secure communication with
Locks the offline Wi-Fi lock when the lock attempts connection to ACM for the first
time.
Schlage WiFi Door The time interval for communication of the offline Wi-Fi lock to the ACM
Communication system. Default is 1440 minutes (24 hours).
Interval
CA Certificate If you installed a custom certificate on your appliance, you need to upload
the certificate of the Certification Authority that signed it. Click Upload CA
Certificate to upload the certificate to ACM. Click to delete it.
You cannot edit this field if the appliance is using a default self signed
certificate.

3. In the ENGAGE application, enter the ENGAGE site defined in the field above and the IP address of the
ACM server. For more information, see vendor documentation.
After a lock is externally commissioned, the lock automatically appears in the ACM application as a door and
a panel.
After this step, see Step 3: Configuring Offline Wi-Fi Lock Operation below.
See also:
l Deleting Offline Wi-Fi Locks on page 297
Step 3: Configuring Offline Wi-Fi Lock Operation

To configure lock operation:

Standard Access Time The seconds the door remains unlocked after access has been granted.
generated.
Extended Access The seconds the door remains unlocked after access has been granted to
token holders with extended access permissions.
Step 3: Configuring Offline Wi-Fi Lock Operation 294

Card Formats
Important: To maximize the security and capacity of your locks,

only move the card formats that are actually used to the Members
column.
facility code on the card. This ensures credential matching occurs during
card operation on the door that uses the card format. For more information,
see Configuring Card Formats on page 323.
Note: The Suppress facility check checkbox must not be used.

Important: Check the credential capacity of the door on the Panel: Status tab before you add
more credentials to the lock.
On the Panel: Status tab, the Credential Capacity count for the door is updated.
Viewing Gateway or Offline Wi-Fi Lock Status

For IP/PoE mode and offline Wi-Fi mode ENGAGE gateways.
1. Select Physical Access > Panels to view gateways or offline Wi-Fi locks.
2. View the Device Status in the first column. For more information, see Device Status on page 47.
Ignore the Cards in Use column.
For another way of accessing device status, see Using the Dashboard on page 44.
3. Select the panel.
4. View on the Status tab:
The communications status between the panel and ACM appliance. The current
status of the device is indicated by the background color. For more information,
see Status Colors on page 46.
Clock Resynchronizes the clock time of the gateway or offline Wi-Fi lock when clicked.
See Updating Panel Time on page 179.
Last comms The date and time of the last message that was communicated between the panel
and the ACM appliance.
Offline Wi-Fi lock only. The date and time of the last communication between the

Next comms Offline Wi-Fi lock only. The date and time of the next communication between the
Firmware The gateway or offline Wi-Fi lock firmware version. See Updating Panel Firmware
on page 179.
Note: ControlBM locks are displayed in the ControlBM Locks list only if
the gateway firmware is updated to version 1.62.04 or newer. If the
gateway firmware is not updated, the ControlBM locks are displayed in
the Control Locks list. Lock functionality still works with the exception of
the Update Firmware capability.
Offline Wi-Fi lock only. Hover your mouse over the firmware version to view more
details.
Updating Lock Firmware

For Schalge IP wireless locks and offline Wi-Fi locks.
Note: Ensure the ENGAGE gateway and ACM have access to the internet.
To apply firmware updates from lock manufacturers:
1. On the Panels list, select the gateway.

2. For the device type, click Update Firmware. Ignore the blue Firmware button, which is used for
updating gateway firmware.
Note: To update the firmware of ControlBM locks, gateway firmware version 1.62.04 or
newer, is required.
3. Do one of the following:

l
Click next to the firmware version that is available in the system to apply it to the group of
locks.
l Select a new firmware version as follows:
a. Click Open Advanced Options.
b. Enter your ENGAGE login information in ENGAGE User and ENGAGE Password, and
click Get Available Firmware. The firmware versions are downloaded.
CAUTION — This advanced procedure must be performed only by qualified personnel
with the requisite knowledge of the firmware versions and the ACM system.
Updating Lock Firmware 296

c. Click next to the firmware file to apply it.
Note: For offline Wi-Fi locks, the firmware version update does not occur immediately. It occurs at
the next communication interval to the ACM application. Each offline Wi-Fi lock has its own interval
setting which is dependent on the timing of its initial communication with the ACM system.
Deleting Offline Wi-Fi Locks

To delete an offline Wi-Fi lock from the ACM application:
1. Uninstall the physical lock hardware.

2. Delete the door in the ACM application. For more information, see Deleting Doors on page 212.
Deleting the door automatically deletes the associated panel.
If a lock is deleted in the ACM application, it will reappear as a new door at the next communication interval to
the ACM application. A lock that is not deleted in the ACM application, but deleted in the ENGAGE
application, will appear as an offline lock in the ACM application. Changing the site must be done in the
ENGAGE application.
Deleting Offline Wi-Fi Locks 297

SALTO Door Installation
Add a SALTO ProAccess SPACE server (referred to as SALTO server) in the ACM application to manage users
and physical access to installed doors that are configured in the SALTO network. For more information, see:
l Prerequisites on the next page
l Supported Devices on page 302
l Step 1: Connecting to a SALTO Server on page 302
l Step 2: Configuring the SALTO Server on page 303
l Step 3: Syncing Doors with the SALTO Server on page 304
l Step 4: Installing and Configuring Doors on page 304
l Step 5: Creating Identities and Tokens on page 306
Note: Doors must be created in the SALTO system before you use the ACM system. Every time you
add or delete doors in the SALTO system, remember to manually sync them with ACM as described
in Step 3. In addition, identities and their tokens must be managed in the ACM system and requires
using encoder hardware for some door modes, as described in Step 5.
System Overview
Figure 6: ACM system organization for SALTO ProAccess SPACE doors
monitoring
2 ACM appliance
3 Encrypted connection provided by the SALTO Host Interface Protocol (SHIP) integration
4 SALTO ProAccess SPACE server (referred to as SALTO server; supports up to 2048 installed
doors), SALTO ProAccess SPACE Configurator application, SALTO encoder hardware
Note: Installing the SALTO ProAccess SPACE server on a dedicated machine is

recommended for the best performance.
SALTO Door Installation 298

5 SALTO network
6 SALTO JustIN Mobile access technology and mobile credentials, physical keycards
7 SALTO online doors (wired and wireless) and standalone doors
Prerequisites
SALTO Server Installation and Configuration
Contact your integrator to install and configure the SALTO ProAccess SPACE server.
Note: Operators need to understand how to use SALTO security configuration, such as key
revalidation, door open mode and timed-based configuration, before using the ACM system. See
Understanding SALTO and ACM Door Configuration on the next page.
For general, new or updated instructions about the registration, installation and configuration of
SALTO systems software and hardware, refer to SALTO systems documentation. The following
instructions are based on using SALTO ProAccess SPACE software version 6.2.3.1.
1. In the SALTO ProAccess SPACE Configurator application, set up the encrypted connection:

a. If the ProAccess SPACE service is running, select the SERVICE PROPERTIES panel and stop it.
b. Select the SERVICE PORTS panel.
c. Select SALTO authentication and enter the port used for communication between SALTO and
ACM systems. Default is 8100.
This is the same port used in the URL to access the SALTO ProAccess SPACE web interface.
d. Select the Use HTTPS checkbox and then select the required certificate from the dropdown
list.
If your certificate is not listed, make sure the certificate and its private key are stored in a .pfx
file and then imported to the Windows certificate store.
Note: The above steps assume you are running Windows 10. If you are running
Windows 7 Service Pack (SP) 1, upgrading to Windows 10 or enabling Transport Layer
Security (TLS) in Windows 7 SP 1 is recommended. For more information, see the steps
at Microsoft.com (support.microsoft.com/en-ca/help/3140245/update-to-enable-tls-1-1-
and-tls-1-2-as-default-secure-protocols-in-wi).
e. Select the DATABASE panel and select Windows authentication.

f. Save the settings.
g. Start ProAccess SPACE service.
2. On your Windows machine, ensure the firewall can support inbound and outbound traffic on the port
Prerequisites 299
used for communication between SALTO and ACM systems.
3. In the SALTO ProAccess SPACE software version 6.2.3.1, configure the user ID:
a. Click the URL which is displayed on the SERVICE PORTS panel.
For example: https://hostname:portnumber/ProAccessSpace/
b. Select the Advanced tab on General options.
c. Add the SHOW_EXT_ID parameter and set the value to 1.
d. Select the Users tab and click the button next to User ID configuration.
e. Add ($FirstName) ($LastName) ($EXTID) in the Content field and click OK.
Important: The ($EXTID) macro must be used to ensure uniqueness of the First Name
and Last Name combination.
4. In the SALTO ProAccess SPACE software, configure the SHIP integration:

a. Select System > General options from the menu bar.
b. Select the SHIP tab on General options.
c. Click the Enable checkbox.
d. Click HTTP(S) and select Basic from Authentication.
e. Create a username and password to connect with the ACM system.
f. Save the settings.
Understanding SALTO and ACM Door Configuration

When you install doors in the SALTO system, consider the following:
l SALTO door open mode configuration is mapped to the ACM Door mode and Custom Mode fields.
Creating, updating or removing an open door mode in the SALTO system will add, update or remove
(respectively) the mapped field values in the ACM system after a manual sync in ACM. See the
following table for the field values. When doors are deleted in the ACM system, the corresponding
doors in the SALTO system are not deleted. At the next manual sync in the ACM system, the door will
display as a new uninstalled door.
l SALTO Timed period field is mapped to the ACM Custom Schedule field.
Creating, updating or removing a schedule that is assigned to a door in the ACM system will create,
update or remove (respectively) the Timed period value in the SALTO system.
l SALTO calendar group configuration is mapped to ACM holiday configuration.
Creating, updating or removing a holiday in the ACM system will add, update or remove
(respectively) the calendar and any holidays in the SALTO system.
For information about ACM door configuration, see Door Modes on page 213, Step 3: Syncing Doors with the
SALTO Server on page 304 and Step 4: Installing and Configuring Doors on page 304.
For information about SALTO door configuration, refer to SALTO systems documentation.
Understanding SALTO and ACM Door Configuration 300

ACM System SALTO System
Door Mode Custom Mode Door Open Mode
Card Only - Standard
Unlocked Automatic opening
Card and PIN Timed Key + PIN
Office Timed office
Toggle Timed toggle
Keypad Only Timed keypad
Card and Pin - Key + PIN
Office - Office
Unlocked Automatic opening + Office
Toggle - Toggle
Unlocked Automatic opening + Toggle
Keypad Only - Keypad only
Exit Leaves Open‡ - Exit Leaves Open‡
Toggle and Exit Leaves - Toggle and Exit Leaves Open‡

Open‡
- - Another door mode
Custom Schedule Timed Period*
Up to 1024 schedules 1024 timed periods
Holiday Calendar*
Up to 3 types of holiday groups In calendar name (0000), 1 holiday and

2 special holidays
‡ The Escape and Return mode settings are not applicable to SALTO online and standalone doors that are
installed with a control unit (CU).
Escape and Return Mode
In the SALTO ProAccess SPACE software version 6.2.3.1, configure the lock mode:
Escape and Return Mode 301

1. Select System > General options > Advanced.
2. Add the EXIT_LEAVES_OPEN parameter and set the value to 1.
3. Save the setting.
Note: You can search for Escape and Return events in ACM event monitoring.
SALTO Ethernet Encoder Configuration

In the SALTO ProAccess SPACE software version 6.2.3.1, configure the encoder:
1. Go to SALTO Network and click the Add Network Device button.

a. Select Encoder and click OK.
b. Enter the Name and Description, and IP address for Ethernet access.
c. Save the setting.
d. Verify the encoder is online.
i. Press the LED button at the back of the physical device until it flashes.
ii. Click the Address button to initiate the connection.
iii. Click the Status Monitoring button.
2. Select the operator login in the upper-right corner.
a. Select Settings > Local Settings > Encoder Settings.
b. Select Online and the encoder name.
c. Save the setting.
For more information about SALTO Ethernet encoder configuration, refer to SALTO systems documentation.
Supported Devices
The ACM application is mapped to the physical configuration of SALTO doors as follows.
Door Panel Subpanel External System
Up to 2048 installed doors A SALTO server is - A SALTO server is

a panel. a panel.
All SALTO door devices at time of initial release in
ACM
Step 1: Connecting to a SALTO Server
Note: Before you begin, set up the required SALTO server and hardware. For more information, see
SALTO systems documentation.
SALTO Ethernet Encoder Configuration 302

Important: Only one ACM system can connect to a SALTO server. Connecting more than one ACM
system is not supported.
To connect to a SALTO server in ACM:

2. Click the SALTO tab.
3. Enter:
Appliance The name of the ACM appliance that is connected to the SALTO server.
Address The IP address or hostname of the SALTO server.
Port The TCP/IP port number configured on the SALTO server.
User Name The SALTO user name created in the SHIP encryption step in Prerequisites
on page 299.
Password The password for the user name.
Installed Enables communication between the ACM appliance and SALTO server
after saving.
After the external system is saved, the SALTO server automatically appears in the ACM application as a
panel.
Step 2: Configuring the SALTO Server

To configure the new SALTO server:

2. Select the SALTO panel.
3. Click the Configure tab on the SALTO panel.
4. Enter:
Location
partition.
The other fields are read-only and cannot be changed. For more information, see SALTO Panel
Step 2: Configuring the SALTO Server 303

After saving the panel, see Step 3: Syncing Doors with the SALTO Server below.
Step 3: Syncing Doors with the SALTO Server

To import SALTO doors to the ACM appliance:
l On the Status tab of the SALTO panel, click Sync Doors.
Doors are imported uninstalled. Sync Status displays the sync results. Doors in a zone in the SALTO
system are displayed as doors in the ACM system.
Note: Every time you add or delete doors in the SALTO system, remember to sync them with
the ACM system.
The other fields are read-only and cannot be changed. For more information, see SALTO Panel Status
on page 180.
After doors are imported, see Step 4: Installing and Configuring Doors below.
Step 4: Installing and Configuring Doors
Note: Doors must be created in the SALTO system before you use Door Mode, Custom Mode and
Custom Schedule in the ACM system.
To enable communication to the SALTO door after syncing with the SALTO server:

2. Install the door to enable communication with ACM, if not already done:
a. Select the door displaying the device status.

b. Select Installed > Install.
c. Click OK.
Note: If a message (red text) is displayed indicating the need to update the door mode, make
sure the Door Mode, Custom Mode and Custom Schedule fields are selected. You need to
set supported door modes in the ACM appliance.
If you add a door to a zone or remove a door from a zone in the SALTO system, allow up to
five minutes for the door to be added or deleted (respectively) in the ACM system.
Step 3: Syncing Doors with the SALTO Server 304

3. Display the event details for each door in the list, if not already done:
a. Select the door name.
b. On the Parameters tab, enter a checkmark in Detailed events.
c. Click to save.
4. Return to Physical Access > Doors.
l In the Device Status column, you will see:
Online with control unit door. Normal, Uninstalled, Communication, Unlocked, Battery, Tamper,
Forced, Held or Synchronization.
Standalone door. Normal, Uninstalled, Battery or Synchronization.
For more information, see Device Status on page 47.
l In the Door State column, you will see Unknown change to:
Online door. Open, Closed, Emergency Open or Emergency Closed.
Standalone door. Offline.
Online or standalone door with no control unit. Closed or Emergency Open.
For more information, see Controlling Doors on page 201 and Maps - Introduction on page 450.
l In the Door Mode column, you will see:
Online and standalone doors. Card Only, Card and Pin, Toggle, Office or Keypad Only.
Online or standalone door with no control unit. Unlocked or Locked No Access.
5. Select and edit door configuration as required:
(The Alt Name through Installed fields can be edited on the Parameters and Cameras tabs. For these
field descriptions, see Adding Doors on page 225.)
Door Mode: The entry mode of the door after syncing with the SALTO server and installing the door.
Custom Mode: Another entry mode of the door that is time-based (see Custom Schedule), which can
be Unlocked, Card and Pin, Office, Toggle or Keypad Only (same as Door Mode). If Keypad Only is
selected, Keypad Code is displayed. You can enter up to 8 digits.
Custom Schedule: A predefined time when Custom Mode becomes active. If you need to add a new
schedule, see Adding Schedules (Intervals in Schedules) on page 395.
Always Mask Forced: If selected, Door Forced Open alarms at the door are always masked.
Always Mask Held: If selected, Door Held Open alarms at the door are always masked.
Detailed events: Enables the reporting of event details, such as Door Mode, after syncing and
installing the door.
See Step 5: Creating Identities and Tokens on the next page.

l System Overview on page 298

Step 5: Creating Identities and Tokens
Note: Before you start, make sure you have access to encoder hardware before you create the
identity and token in the ACM system. In addition, make sure an access group and identity are
created in the ACM system. For more information, see Adding an Access Group on page 112 and
Assigning an Access Group to a Role on page 115.
If your SALTO network supports SALTO mobile credentials, make sure all identities download and
install the SALTO JustIN Mobile app.
To create an identity and token for a SALTO door:
2. Click the Tokens tab and enter:
Token Type SALTO
Mobile Application Type Default is None.
JustIn Mobile refers to the SALTO JustIN Mobile application that is
installed on the mobile phone of the identity.
Note: When issuing mobile keys, the encoder requires access

to the internet.
Mobile Phone Number The mobile phone number in international format (plus sign and no
spaces).
+ country code, area code, phone number
Example: +12345678910
Note: The mobile app must be installed on the mobile phone

of this phone number.
For other field descriptions, see Token Fields on page 81.
3. Click to save.
The Download and Assign Key buttons appear.
4. Edit the token and click Assign Key to assign a key to the token as follows:
For a physical key:
Step 5: Creating Identities and Tokens 306

a. Select the SALTO encoder in the dialog box and click Next.
b. SALTO encoder step. Place the physical key on the encoder hardware.
c. Click the Encode Key button in ACM.
d. Click OK.
For a mobile key:
l Click OK.
ACM displays the status of the key update.
Using Physical and Mobile Keys

To use a physical key after assigning or editing a token:
l Place the keycard on the SALTO door device.
To use a mobile key after assigning or editing a token:
a. Tap the key icon in the mobile app.

b. Place the mobile phone on the SALTO door device for 1-2 seconds until a checkmark is displayed.
Editing Tokens — Update Required and Re-edition Required

If the Update Required or Re-edition Required status (red box) appears on the Tokens tab, edit token
configuration as follows:
Note: Updating some of the token configuration requires you to re-encode (referred to as re-edition
or re-edit) the key. Therefore, make sure you have access to encoder hardware before you start.
1. Select the token configuration:

PIN When a PIN is required, the PIN number that the user will be required
to enter at a keypad card reader.
Token Status The status of the token may be set manually and then updated by the
system as follows:
l Active: The Not Yet Active token is set to Active when the
current date is past the Activate Date.
l Expired: The Active token is set to Expired when the current
date is past the Deactivate Date.
l Inactive: The Active token is set manually to Inactive without
further update.
l Not Yet Active: The token is not active yet.
Using Physical and Mobile Keys 307

Issue Level A number from 0 to 999999999, representing the issue level of the
token.
Example: If a 3-digit length was configured on the Card Format: Edit
page, you can enter 123 for the issue level of the card.
For more information, see Issue Level Numbering for Reusing a Card
Number on page 325.
Never Expire The token never expires.
Extended Door Times A checkbox to give the token extended access time.
Once enabled, the door remains unlocked for a longer period of time
than the standard access time to accommodate users that may require
more time to enter a door.
Standard and extended access times are specified on the Door Edit
page.
Office A checkbox to enable the token to activate Office mode for a door that
is configured for Office mode, which allows the cardholder to leave the
lock open.
To use this mode, the cardholder presents the key to the door while
pressing down the inner handle and repeats the procedure to undo
the mode.
Set Lockdown SALTO standalone doors only. A checkbox to enable lockdown mode
for a door that has a lock that can support manual lockdown. For more
information about lockdown in the SALTO system, refer to SALTO
systems documentation.
To use this mode, the cardholder presents the key to the door's inside
reader and repeats the procedure to undo the mode.
Override Privacy A checkbox to allow the cardholder to access a door locked from the
inside at any time.
Override Lockdown A checkbox to allow the person to access a door closed from the
inside during lockdown state.
Audit Openings SALTO standalone doors only. A checkbox to audit the use of keys in
standalone doors. Audits automatically occur in online doors.
Editing Tokens — Update Required and Re-edition Required 308

Enable Revalidation A checkbox to specify a period for revalidating a key before it
Update Period in days or becomes invalid. To make the token valid again, the cardholder can
hours unit present the token to the online wall reader at any time.
For example, a key requires revalidation every seven days, if the
update period is set to 7 days. If the key is used on the third day, the
update period is reset. If the key is not used for over seven days, the
key becomes invalid.
Note: When revalidating mobile keys, the encoder requires

access to the internet.
Issue Date The date the token was issued.

Activate Date The activation date for the token.
Deactivate Date The deactivation date for the token.
Last Door The last door the token was used to gain access.
Last Used The last time the token was used to gain access.
2. Click the Update Key button in ACM.
3. If updating Audit Openings, Override Privacy or Override Lockdown:
For a physical key:
a. Select the SALTO encoder in the dialog box and click Next.
b. SALTO encoder step. Place the physical key on the encoder hardware.
c. Click the Encode Key button in ACM.
d. Click OK.
For a mobile key:
l Click OK.
ACM displays the status of the key update, such as the No Update Required status.
Canceling Keys
To cancel a key that was assigned to a token:
1. On the Tokens tab, click the Cancel Key button.

ACM displays the status of key update.
2. Click OK .
Note: A canceled key cannot be used throughout the SALTO system. For more information, refer to
SALTO system documentation.
Canceling Keys 309

Downloading All Tokens
To download or restore all tokens to the ASSA ABLOY, HID or Mercury panel:
l On the Status tab of the panel, click Tokens.
Typically, this action is done after system restore. For more information, see also Restoring Backups on
page 368.
Downloading All Tokens 310

ASSA ABLOY™ IP Lock Installation
Add a panel in ACM to configure and manage groups of ASSA ABLOY IP-enabled locks, including hard-
powered PoE (Power over Ethernet) locks and battery-powered Wi-Fi locks, after their initial configuration and
connection to the Door Service Router (DSR) server (referred to as DSR). Typically, Wi-Fi locks are battery-
powered (referred to as the Battery Powered lock type), and if configured with an external power supply, can
have the real-time communication capabilities of hard-powered PoE locks (referred to as the External
Powered lock type). For more information, see:
l Step 1: Configuring a Door Service Router for IP Locks on page 313
l Step 2: Syncing Doors with the Door Service Router on page 314
l Step 3: Installing and Configuring Doors on page 315
l Step 4: Configuring Locking Operation on page 316
Note: Locks must be created in the Lock Configuration Tool (LCT) and doors must be created in the
DSR software before you use the ACM system. Every time you add doors in the ASSA ABLOY
system, remember to manually sync them with ACM as described in Step 2. After door sync, the
doors must be edited and managed in the ACM system.
System Overview
Figure 7: ACM system organization for ASSA ABLOY IP-enabled locks
monitoring
2 ACM appliance
3 Encrypted connection provided by the ACM appliance certificate and ASSA ABLOY DSR server
configuration using Transport Layer Security (TLS)
4 ASSA ABLOY Door Service Router server, DSR Support Tool and Lock Configuration Tool
applications
5 Encrypted connection provided by LCT network configuration
ASSA ABLOY™ IP Lock Installation 311

6 ASSA ABLOY IP-enabled external powered (hard powered) PoE locks and battery-powered Wi-Fi
locks
Typically, Wi-Fi locks are battery-powered (referred to as the Battery Powered lock type in ACM),
and if configured with an external power supply, can have the real-time communication
capabilities of hard-powered PoE locks (referred to as the External Powered lock type in ACM).
Prerequisites
Contact your integrator to install and configure the ASSA ABLOY DSR software and LCT application.
Note: Integrators can download the required vendor software and the Access Control Manager™
System Integration Guide for ASSA ABLOY Door Service Router and Lock Configuration Tool in the
Avigilon Partner Portal (avigilon.com/software-downloads).
Prerequisites 312
Supported Devices
The ACM application is mapped to the physical configuration of ASSA ABLOY IP locks as follows.
Up to 1024 doors to a single DSR A DSR is a panel. - -
Up to 2048 doors combined to two DSRs
DSR version 8.0.13 — Including SARGENT Profile

Series v.S2, SARGENT Passport 1000 P2,
SARGENT IN120 WiFi, CORBIN RUSSWIN IN120
WiFi, CORBIN RUSSWIN Access 700 PWI1 WiFi,
CORBIN RUSSWIN Access 800 PWI1WiFi locks
Credentials are dependent on lock model. See

vendor documentation for the limit.
Step 1: Configuring a Door Service Router for IP Locks
Note: Before you begin, set up the required DSR and LCT software and IP lock hardware. For more
information, see the Access Control Manager™ System Integration Guide for the ASSA ABLOY Door
Service Router and Lock Configuration Tool. For information about the number of DSRs supported
by the ACM system, see Supported Devices above.
Important: The encrypted connection to the ACM system must be enabled in the DSR software.
To configure a DSR in ACM:

2. Click Add Panel.
3. Enter:
Name A unique name for the panel. Choose a name that will help you identify the
devices it controls. Duplicate names are not allowed.
Physical Location A description of where the device is installed.
Appliance The name of the ACM appliance that is connected to the DSR.
Vendor Assa Abloy
saving.
Model The model of the DSR.
Timezone The local time which the panel operates in for door schedules and other time-
based configuration.
4. Click to save your changes. The entries are displayed on the Configure tab.
(The Name and Physical Location fields can be edited on the Configure and Host tabs. The other
fields are read-only and cannot be changed.)
5. Click the Host tab.
6. Enter:
IP Address The IP address of the gateway or hostname of the device.
Access Port The port that receives events from the DSR. Default is 8443.
Callback Port The port that receives callbacks about events or statuses on the DSR. Default is
9001; range is 0-65535.
Note: The callback port must be unique for each DSR, if you are
installing multiple DSRs on the same ACM appliance.
After configuring the panel, see Step 2: Syncing Doors with the Door Service Router below.
Step 2: Syncing Doors with the Door Service Router

To sync ASSA ABLOY IP doors with the ACM appliance:
l On the Status tab of the ASSA ABLOY panel, click Sync Doors.
Doors are imported uninstalled. Sync Status displays the sync results.
Step 2: Syncing Doors with the Door Service Router 314

Note: Every time you add doors in the DSR software, remember to sync them with the ACM
system.
After doors are synced, see Step 3: Installing and Configuring Doors below.
Step 3: Installing and Configuring Doors
Note: Doors must be created in the ASSA ABLOY system before you use Door Mode, Custom Mode
and Custom Schedule in the ACM system.
To enable communication to the ASSA ABLOY door after syncing with the DSR:

2. Install the door to enable communication with ACM, if not already done:
a. Select the door displaying the device status.

b. Select Installed > Install.
c. Click OK.
3. Return to Physical Access > Doors. Door information is displayed in the following columns.
Device Status For External Powered doors, you will see Normal, Uninstalled, Communication,
Unlocked, Battery, Tamper, Forced, Held or Synchronization.
For Battery Powered door, you will see Normal, Uninstalled, Battery
or Synchronization.
For more information, see Device Status on page 47.
Door State Unknown will change as follows.
For External Powered doors, you will see Open, Closed, Forced or Held.
For Battery Powered doors, you will see Normal or Offline.
For more information, see Controlling Doors on page 201 and Using a Map on
page 452.
Door Mode Unknown will not change for all listed doors.
4. Select and edit door configuration as required:
Door Mode The entry mode of the door after syncing with the DSR and installing the door,
which can be Unlocked, Card Only, Card and Pin, or First Person Through.

Custom Mode Another entry mode of the door that is time-based (see Custom Schedule), which
can be Unlocked, Card Only, Card and Pin, or First Person Through (same as
Door Mode).
Custom Schedule A predefined time when Custom Mode becomes active. If you need to add a new
schedule, see Adding Schedules (Intervals in Schedules) on page 395.
Tip: If a message indicates the Advanced Schedule option cannot be

enabled when saving, do any of the following:
l Save the schedule without Advanced Schedule selected. Some
doors only support basic schedules.
l Find the access groups using the schedule and select another
schedule.
Lock Function None is the default. Privacy: When the interior lock button is pressed, the door
will lock and the exterior lock will not grant access to any token. To unlock the
door, the interior lock button must be pressed again or exit the room.
Always Mask If selected, Door Forced Open alarms at the door are always masked.
Forced
Always Mask Held If selected, Door Held Open alarms at the door are always masked.
Detailed events Enables the reporting of event details, such as Door Mode, after syncing and
installing the door.
Do Not Log Rex Disables logging of request-to-exit transactions.
Transactions
See Step 4: Configuring Locking Operation below.
Step 4: Configuring Locking Operation

To configure locking operation for the ASSA ABLOY IP door:

For field descriptions, see Adding Doors on page 225.)
Into Area The area that the badge holder enters by passing through the door.
Example: Laboratory

Out of area The area that the badge holder leaves by passing through the door.
Example: Lobby
Standard Access The seconds the door remains unlocked after access has been granted.
Time
generated.
Extended Access The seconds the door remains unlocked after access has been granted to token
holders with extended access permissions.
Card Formats
Important: To maximize the security and capacity of your locks, only

move the card formats that are actually used to the Members column.
facility code on the card. This ensures credential matching occurs during card
operation on the door that uses the card format. For more information, see
Configuring Card Formats on page 323.

Important: Before you add more credentials to the lock, refer to the DSR software for the
available credential capacity. Credential capacity is dependent on the lock model.
Door Scheduling By Batch Job (Specification)

To create a schedule for locking and unlocking doors, use a batch job specification. For more information,
see Scheduling Batch Jobs on page 478 and Setting Batch Door Modes on page 484.
Configuring Areas
An area in the ACM system defines a physical location within a secured site that requires additional access
control. This area can be relatively small, like a lab or a store room; or large, like a collection of buildings.
Areas often incorporate one or more doors with their attached inputs and outputs. You can define areas to
track badge holder location, for example in a mustering scenario, or to control access to specific areas, for
example in an anti-passback configuration to limit user access within a building or facility.
Note: Do not confuse areas with partitions. A partition is a separate administrative access zone
within the ACM system. An area is a physical location that requires additional access control.

Therefore, in a partitioned system, an area is configured within a partition.
For example, an anti-passback configuration can be used in a laboratory facility to restrict access to a specific
room.
The laboratory is divided into Area A and Area B. To secure Area B, only lab personnel who are permitted into
both Area A and B can access the lab in Area B. To allow this, the doors are configured as follows:
l The door between the smaller room in Area A and Area B is configured as Out of Area A/Into Area B. It
is the entry door for Area B.
l The door between the larger room in Area A and Area B is configured as Out of Area B/Into Area A. It
is the exit door for Area B.
l The right-side of the double door when entering Area A is configured as an Into Area A door.
l The right-side of the double door when exiting Area A is configured as an Out of Area A door.
Lab personnel with permission to enter Area A are admitted through the right side of the double door when
they swipe their entry card on the door reader. The ACM system records they are "Into Area A". Lab
personnel with permission to enter Area A and Area B can then enter Area B at the door between the smaller
room in Area A and Area B when they swipe their entry card on that door's reader. The ACM system records
they are "Out of Area A" and "Into Area B". After they have entered Area B, they can exit from the other door
to Area A. The ACM system records they are "Out of Area B" and "Into Area A". Lab personnel exiting Area A
swipe their entry card on the reader on the right side of the double door. The ACM system records they are
"Out of Area A".
Configuring Areas 318

Defined areas are added to the Area into area and Area out of area option list on the Doors Operations
page. For more information, see Configuring Doors on page 199.
Adding Areas
1. Select Physical Access > Areas.
2. From the Areas list, click Add Area.
3. Enter a name for the area.
4. Select the appliance that will maintain the area details.
5. Select the Enable Area checkbox to activate the new area.
6. Fill in the other options as required.
7. Click .
The new area is added to the Area Listings page.
Editing Areas
2. Click the name of the area you want to edit.
If you want to change the doors that are connected to the area, you must do so from the door's
Operations page.
4. Click .
Deleting Areas
2. From the Areas list, click for the area you want to delete.
3. When the browser displays a pop-up message to ask Are you sure?, click OK.
EOL Resistance
End-of-line (EOL) resistance refers to the resistance levels that must be maintained for input points. Input
devices used with doors often measure circuit resistance in ohms. This measurement is used to determine
the normal resistance level. If the resistance drops across the circuit, an alarm is sent back to the ACM
application.
For example, if resistance for a particular device has been set at 2000 ohms and the circuit's resistance
suddenly drops to 1000 ohm, an alarm is issued by the application.
Adding EOL Resistance for Mercury Input Points

To add an EOL Resistance definition for a Mercury input device:
Adding Areas 319

1. Select Physical Access > EOL Resistance. Make sure the Mercury tab is selected.
2. From the Mercury EOL Resistance list, click Add-Normal or Add-Advanced.
3. On the following EOL Resistance Add page, enter the required details.
Adding EOL Resistance for VertX® Input Points

To add an EOL Resistance definition for an VertX® input point:
1. Select Physical Access > EOL Resistance > HID.

2. From the HID list, click Add.
3. Enter the required details.
Editing EOL Resistance for Mercury Input Points

To edit an EOL Resistance definition for a Mercury input device:
1. Select Physical Access > EOL Resistance. Make sure the Mercury tab is selected.
2. Select the EOL Resistance definition that you want to edit.
Editing EOL Resistance for VertX® Input Points

To edit an EOL Resistance definition for a VertX® input point:
1. Select Physical Access > EOL Resistance > HID.

2. On the HID list, select the EOL Resistance definition that you want to edit.
Mercury LED Modes - List page

The Mercury LED Modes list lists the available Mercury Security LED modes.
Select a mode from the list of custom LED modes to modify its settings. The Mercury LED Mode Table
<number> page is displayed. For more detail, see Editing LED Modes on the next page.
Before making any changes ensure that the related doors and subpanels are correctly configured and wired,
including:
Adding EOL Resistance for VertX® Input Points 320

l Ensure that the LED drive field on the Reader: Edit screen has a valid entry (e.g. Gen 1 wire, Sep
Red/Grn no buz, OSDP).
l Ensure that the LED Mode field on the Mercury Security Operations page is set to match the table (1, 2
or 3) that you want to use.
Editing LED Modes
1. Select Physical Access > Mercury LED Modes.
2. Select a Mercury LED Mode table.
3. Review the table details. For any door State, any of the following can be updated:
l Change the color that displays when the state becomes:
o Active in the On Color column.
o Inactive in the Off Color column.
Select the color from the list.
l Change the duration that the color displays when the state becomes:
o Active in the On Time (1/10s) column.
o Inactive in the Off Time (1/10s) column.
The time is in 1/10th second ticks.
l To edit the number of times the LED blinks (where this is possible), enter the new value in the
Repeat Count column.
l To edit the number of time the blinking is accompanied by a sound (where this is possible),
enter the new value in the Beep Count column.
4. Click Save.
Restoring to Default States

l Click Restore to Default.
Editing LED Modes 321

Mercury Security LED Mode Table page
Edit any of the LED Mode tables in Physical Access > Mercury LED Modes.
Note: The actual output from the selections below (in terms of colors and beeps) may vary from
those selected depending on panel, reader type and configuration. For more information about the
colors supported, refer to the reader manufacturer documentation.
LED ID The unique identifier for the LED state.

State The door state that you can set a custom LED mode for.
On Color The color to display when the door state is active. For more information, see Editing
LED Modes on the previous page.
On Time (1/10s) The time in 1/10th second ticks that the On color will display for.
Off Color The color to display when the door state is not active. For more information, see
Editing LED Modes on the previous page.
Off Time (1/10s) The time in 1/10th second ticks that the Off color will display for.
Repeat Count The number of repeats for the on and off colors.
Note: This will not be editable for some states.
Beep Count The number of beeps to sound when the related state becomes active.
Note: This will not be editable for some states.
Restore to Default Click to restore the selections for all states to their default setting.
LED Modes for Mercury Security

For Mercury Security door controllers, there are three reader LED modes. Each mode consist of two attribute
sets:
l Door mode attributes (LED IDs 1 to 8)
Used when the reader is idle. Repeat and beep counts can not be set for these LED IDs.
Mercury Security LED Mode Table page 322

l Door processing attributes (LED IDs 11 to 15)
Used when a card or pin is presented at the reader. Repeat count can be set for LED IDs 11 and 12 only.
Beep counts cannot be set for any of these function IDs.
Mercury Security has 3 built-in LED modes. The following tables describe the settings for each mode.
Figure 8: An example of the default settings for LED modes
Configuring Card Formats

Readers that control access to doors come in many varieties and use many different card types.
Supported Card Formats

The ACM system supports the most common card types using the following card formats:
l ABA Mag: for magnetic stripe cards.
l Wiegand: for other card types, including proximity cards and smart cards. These include most newer
cards that use embedded chips and proprietary formats, which are now widely used due to
increasingly stringent security requirements.
l Large Encoded: for internal numbers that are larger than 64 bits. For example, 128-bit and 200-bit
cards need the 32-character Federal Agency Smart Credential Number (FASC-N) or Card Holder
Unique Identifier (CHUID) for PIV-I cards. Large Encoded card formats are used with FIPS 201
compliant pivCLASS readers.
Configuring Card Formats 323

You can define custom card formats, which allow a panel to control access for a variety of readers. When you
configure a door, you specify the card formats that are accepted at that door. A door can support up to 16
card formats from a system-wide total of 128 card formats. All of the doors on a single panel can collectively
use at most 16 distinct card formats.
Important: A panel that is configured to accept the Large Encoded card format can not accept
ABA Mag or Wiegand formats. However, the panel can only accept up to 16 distinct Large Encoded
card formats. Conversely, a panel that can accept any combination up to 16 of both ABA Mag or
Wiegand formats cannot accept any Large Encoded card formats.
Corporate Card Mode for Using Facility Codes

For Wiegand cards
Corporate card mode enables you to create batches of unique card numbers using different facility codes
and the same range of internal card numbers. For example, two batches of 26-bit Wiegand cards can have
facility codes 55 and 105 (respectively) and the same 1400-19999 internal card numbers. The facility code
that is inserted at the start of each card number string can be used to grant access and then easily viewed in
Monitor Events and Transaction Reports.
To use the Corporate card mode setting:
Corporate Card Mode for Using Facility Codes 324

1. On the Card Format: Add or Card Format: Edit page, enter:
Facility Code The facility code of the card format.
Example: 55 for the 26-bit Wiegand card format
Facility Code Length The length of the facility code in digits.
Facility Code Location The starting location of the facility code in the number string.
Up to 2 zeroes (0) may be inserted at the 3-bit location.
Offset The offset number for the card format. Used with Corporate card
mode.
Example: 10000
Tip: Any number can be used, however, a power of 10 higher

than the card number used is recommended. For example, if
the internal card number range is 1400-19999, specify
100000. Your range of card numbers will now increase to
5501400-5519999.
When the Offset value is set to zero (0), the card number is always
read from the card.
Corporate card mode A checkmark to enable the combination of values entered in the
Facility Code and Offset fields, and the card number read from the
card, to produce unique card numbers that the readers at different
facilities will recognize.
Example: 55 x 10000 + 1400 = 551400
Note: When Corporate card mode is enabled, the Facility

Code Length and Facility Code Location values also need to
be specified.
To enter other card format options, see Card Format Fields on page 327.
2. Click .
3. Repeat the above steps for another facility code.
Example: 105
4. When the cardholder swipes the token that is configured with Corporate card mode, the cardholder is
granted access to the door.
Issue Level Numbering for Reusing a Card Number

For ABA Mag and Wiegand cards
Issue Level Numbering for Reusing a Card Number 325

An issue level enables a card number to be reused by creating the token for a card number with an updated
issue level. Only one token for a given card number can be active at a time. If your ACM deployment uses the
Issue Level numbering option in a custom card format, complete the following:
1. On the Card Format: Edit page, enter:

Issue Level Length The length of the issue level number in the card number string. Used
with the Issue Location and Issue Level options.
Example: 3-digit number for the 56-bit card format type.
Issue Location The starting location of the issue level number in the card number
string.
Example: 0 for the 56-bit card format type.
To enter other card format options, see Card Format Fields on the next page.
2. On the Token: Edit page, enter:
Issue Level A number from 0 to 999999999, representing the issue level of the
token.
Example: If a 3-digit length was configured on the Card Format: Edit
page, you can enter 123 for the issue level of the card.
3. Click .
When a cardholder swipes the token that is configured with an issue level, the cardholder is granted
access to the door. If an issue level that is not configured is swiped (for example, any issue level that is
not 123), the following door event is generated in the log: "Valid card with an incorrect issue level."
4. If the card number needs to be reused, repeat step 2 and increment the issue level number.
5. When the cardholder swipes the token that is configured with the updated issue level, the cardholder
is granted access to the door.
Adding Card Formats

1. Select Physical Access > Card Formats.
2. Click Add Card Format.
3. In the Card Format Add page, enter the details for the new card format.
4. Click to save the new card format.
The new card format is displayed in the Card Formats list and can be assigned to doors in the system.
Editing Card Formats

2. On the Card Formats list, click the name of the card format that you want to edit.
3. On the Card Format Edit page, make the required changes.
4. Click to save the changes and download the updated card format information to all panels and
door subpanels that are assigned the format.
Adding Card Formats 326

The updated card format is available on all affected doors as soon as the updated card format information is
downloaded.
Deleting Card Formats

2. Click for the card format that you want to delete.

3. When the confirmation message is displayed, click OK and the updated card format information is
downloaded to all panels and door subpanels that are assigned the format.
The deleted card format is removed from all affected doors as soon as the updated card format information is
downloaded.
Card Format Fields

Add or edit a card format from Physical Access > Card Formats:
Name The name of the card format.

Card Format The card format type.
Type
l ABA Mag—for magnetic stripe cards
l Wiegand—for other card types, including proximity cards and smart cards.
l Large Encoded—for internal numbers that are larger than 64 bits. For example, 128-bit
and 200-bit cards need the 32-character Federal Agency Smart Credential Number
(FASC-N) or Card Holder Unique Identifier (CHUID) for PIV-I cards. Large Encoded card
formats are used with FIPS 201 compliant pivCLASS readers.See Appendix: pivCLASS
The option you select will determine which of the following options are displayed.
ABA Mag options
Facility The facility code of the card format.
Code
Offset The offset number for the card format. In ABA Mag card formats, the offset value is added to
the card number read from the card and the result is used as the card number for the access
request.
Max Digits The maximum number of digits for the card format.
Min Digits The minimum number of digits for the card format.
Facility The length of the facility code in digits.
Code
Length
Facility The starting location of the facility code in the number string.
Code
Location
Card The total length of the card number on the card.
Number
Length
Deleting Card Formats 327

Card The starting location of the card number in the number string.
Location
Issue Level The length of the issue level number in the number string.
Length
Issue The starting location of the issue level number in the card number string.
Location
Suppress By default, checking the facility code allows a single card format to be used for multiple sets
facility of cards with matching number length, but different facility codes.
check
A checkbox to ignore a facility check.
Corporate Not supported for ABA Mag card formats. Checking this option will have no effect.
card mode
Wiegand options (Mercury and HID™/VertX panels)
Facility The facility code of the card format.
Code
Offset The offset number for the card format. Used with Corporate card mode.
l If Corporate card mode is disabled (the default setting), the Offset value is added to
the card number read from the card and the result is used as the card number for the
access request.
l If Corporate card mode is enabled, the Facility Code value read from the card is
multiplied by the Offset value and then added to the card number read from the card.
The result is used as the card number for the access request.
Note: When Corporate card mode is enabled, the Facility Code Length and
Facility Code Location values also need to be specified.
When the Offset value is set to zero (0), the card number is always read from the card.
Number of The maximum number of bits this card format can have. If the Reverse card bytes option is
Bits available for this card format type and it is enabled, the value entered here must be a multiple
of 8.
Even Parity The length of the number string that will have even parity.
Length
Even Parity The starting location of the number string that will have even parity.
Location
Odd Parity The length of the number string that will have odd parity.
Length
Odd Parity The starting location of the number string that will have odd parity.
Location
Facility The length of the facility code in digits. This value must be specified if Corporate card mode
Code is enabled.
Length
Facility The starting location of the facility code in the number string. This value must be specified if
Code Corporate card mode is enabled.
Location

Card The total length of the card number on this card.
Number
Length
Card The starting location of the card number in the number string.
Location
Issue Level The length of the issue level number in the card number string.
Length
Issue The starting location of the issue level number in the card number string.
Location
Suppress A checkbox to ignore a facility check and use overlapping card number sequences in card
facility sets with matching values in the bit length and bit parity fields.
check
Note: If this mode is used with Corporate card mode, the reader will read the facility
code from the card and use it to calculate the offset. The Facility Code Only door
mode cannot be used when the Suppress facility check checkbox is used.
Corporate A checkmark to enable the combination of values entered in the Facility Code and Offset
card mode fields, and the card number read from the card, to produce unique card numbers that the
readers at different facilities will recognize.
Note: When Corporate card mode is enabled, the Facility Code Length and Facility
Code Location values also need to be specified.
Additional Wiegand options (Mercury panels only)

Step parity A checkbox to indicate that the parity must be stepped by 2.
by 2
Can only be used with cards that are encoded with this parity scheme.
Enable 37 A checkbox to enable 37-bit parity by 4 format.
bit parity
w/4 Can only be used with cards that are encoded with this parity scheme.
Enable 37 A checkbox to enable 37-bit parity by 2 format.
bit parity
w/2 Can only be used with cards that are encoded with this parity scheme.
Enable 75 A checkbox to enable 75-bit transparent mode for PIV/TWIC cards.
bit
transparent
mode
Reverse A checkbox to enable the bit-level reversal of the entire bitstream from the card when it is
card format received from the card reader. The reversed bit stream is then compared against the card
format. If it matches, then the data in the card format is used to authenticate the identity of the
cardholder.

Reverse A checkbox to enable the byte-level reversal of the entire bitstream from the card when it is
card bytes received from the card reader. The reversed bit stream is then compared against the card
format. If it matches, then the data in the card format is used to authenticate the identity of the
cardholder. For this option to correctly function, the value in the Number of Bits field must be
a multiple of 8.
Large Encoded
Number of The maximum number of bits the card format can have. The default value is 0. The maximum
Bits value is 128.
Card The maximum length (in bits) of the card format. This value must be the same as the value for
Number Number of Bits.
Length
Configuring ACM System Events

The ACM system generates events to notify you of issues that may require your attention. Events include
messages and alarms issued by specific devices in the ACM system.
You cannot create events but you can customize the existing system events to monitor what you are most
concerned about.
Events can be made into an alarm when they are assigned to an alarmed Event Type. For more information,
see Event Types - Introduction on page 400.
Searching for ACM System Events

The ACM system provides many events, so it may sometimes be easier to search for the specific event that
you want to customize. For example if you are looking for an event related to failures in the system, you can
search for events containing the word failure.
1. At the top of the Event list, enter the name of the event in the Name field.
Tip: Use any series of letters and numbers to search for the events you want to see.
You can also use the drop down list options to specify that the name of the event Starts With, Equals,
Contains or Ends With your search term.
2. If you know the event type that is assigned to the event, select one of the options in the Event Type
drop down list.
3. Click Search.
The page refreshes to show your search results.
Configuring ACM System Events 330

Customizing ACM System Events
You can edit ACM system events to customize them to your needs. For example, if an action needs to be
taken when a specific event occurs, instructions can be added to that event. These instructions will be
displayed when the event is triggered.
1. Select Physical Access > Events.

2. On the Events list, click the name of the event you want to edit.
The Event: Edit page is displayed.
Assigning Priority Colors to ACM System Events

You can assign a color to any priority level. The colors are used to highlight events with the same priority on
the Alarms page in the Monitor screen.
The alarm priority is assigned to events on the Event Edit page or the Event Type Edit page.
1. Select Physical Access > Events.

2. Select the Colors tab.
3. On the Colors list, do one of the following:
l To add a new color, click Add New Color.
l To edit a priority color, click a listed priority number.
l
To delete a priority color, click .
4. On the following page, enter the priority number that this color set should be assigned to.
5. For each of the color options, click the color field to display the color map.
6. To use this palette to select a specific color:
Customizing ACM System Events 331

a. From the HSV or RGB color fields, enter the general color you require.
All possible tints and variations of this color appear to the left in the tint area.
The new color you have selected appears on the right side of the horizontal bar above the
color element fields. The original color appears to the left.
b. To fine-tune the color, click within the tint area.
A cross appears. Drag the cross through the area to determine the exact color you want.
indicating the exact tint and shade you have selected like the following example:
The number in the Color field changes to reflect your choice.

c. If required, slide up or down the vertical slide bar to change the color still further.
d. When you're finished with this palette, click OK.
7. Click to save.
Global Actions
Global actions allow you to perform one or more actions simultaneously at a large number of doors
connected to more than one panel. These actions can be triggered in the following ways:
l Manually, from the Global Actions list.
From the browser or ACM Expedite mobile app.
l By schedule, configured from the Global Actions list.

l Automatically, when used in a Global Linkage.
One or more global actions must be defined before you can create Global Linkages.
Global Actions 332

Important: A Priority Door Policy is the most secure way to control access with the ACM system in an
emergency situation. It is also more robust than a Priority Door Global Action. A Priority Door Policy
will stay in effect on the doors it is installed on even if:
l The ACM appliance:

o Is restarted
o Is disconnected from power
o Fails over to a backup appliance
l The door or door panel:
o Goes offline
o Is rebooted
o Is disconnected from the access control network.
Adding Global Actions

1. Select Physical Access > Global Actions.
2. On the Global Action list, click Add Global Action.
3. Enter the required details for the new global action.
4. Select the objects of the global action by moving them to the Members list.
5. Click to save.
After defining all your global actions, proceed to Global Linkages to create a sequence of actions.
Adding a Group of Global Actions

Before you start, create multiple global actions.
1. Add a global action by selecting Action Group in the Type field.

2. Move the multiple global actions to the Members list.
3. Click to save.
Adding Global Actions 333

Editing Global Actions
2. Click the name of the global action.
Types of Global Actions
Note: Only Access Group Install/Un-Install, Action Group, Door Grant, Door Install/Un-install, Door
Mask and Door Mode are applicable for ASSA ABLOY external-powered doors. Door Grant and Door
Mode are not applicable for ASSA ABLOY battery-powered doors. Any locks that do not support
real-time communication with a server, will not display door mode options on the Doors list page and
maps. Door mode can be set on the Door: Edit page and by using a batch job (specification).
Type Description
Access Group Install/Un- One or more designated access groups to be installed or uninstalled.
install
Action Group A group of global actions to be run.
DMP Intrusion Area For DMP intrusion panel only. All available commands for intrusion areas.
DMP Intrusion Output For DMP intrusion panel only. All available commands for intrusion outputs.
DMP Intrusion Panel For DMP intrusion panel only. All available commands for intrusion panels.
DMP Intrusion Zone For DMP intrusion panel only. All available commands for intrusion zones.
Door Grant Entry to be granted at one or more designated doors.
Door Install/Uninstall One or more doors to be installed or uninstalled.
Door Mask Alarms to be forced to a mask or unmask state at one or more designated
doors.
Door Mode The door mode to be applied to one or more designated doors.
Email The email addresses of the recipients of global action notifications
Exacq Soft Trigger Exacq video integration only. A soft trigger to be run on the Exacq camera
system.
Input Bosch intrusion panel only. One or more designated inputs to be masked or
unmasked.
Intrusion Area For Bosch intrusion panel only. All available commands for intrusion areas.
Intrusion Output For Bosch intrusion panel only. All available commands for intrusion outputs.
Intrusion Point For Bosch intrusion panel only. All available commands for intrusion points.
Output For Bosch intrusion panel only. One or more designated outputs to be activated
or inactivated.
Editing Global Actions 334

Panel Install/Un-install One or more panels to be installed or uninstalled.
Panel Macro For Mercury Security panel only. A macro command to be run on a designated
group.
Policy Install/Un-install For Mercury Security door only. One or more designated policies to be installed
or uninstalled.
Schedule Set Mode One or more schedules to be activated, inactivated or scanned.
Deleting Global Actions

2. From the Global Actions list, click for the global action that you want to delete.
Creating Global Actions and Linkages for Bosch Intrusion System

Noted below are some examples of setting up intrusion linkages and actions.
Intrusion panel alarm due to an event in the System

An ACM system event can trigger an intrusion alarm point. To set up an alarm condition that is generated at
the intrusion panel notifying the monitoring center) due to an ACM system event (for example, a forced door),
ensure that the intrusion panel has a point with source "output" and select an index that is unused both as a
point and as an output. Follow the steps below:
1. Create global actions to activate and deactivate the output.

2. Create a global linkage to the Forced Door event, to activate the output.
3. Create a global linkage to a NORMAL Forced Door event to deactivate the output.
When the related event occurs in the ACM system, the corresponding point will be triggered at the intrusion
panel, and control over the event (for example,. silencing an alarm) can be made by intrusion panels.
Disable and enable doors from keypad

Arming an alarm at the intrusion keypad can also lock a door within the ACM system.
1. Create global actions to lock and restore the door.

2. Create a global linkage to the area arming events, to lock the door.
3. Create a global linkage to the area disarming events, to unlock the door.
It is best to set this action up with a single area as different combinations of arming and disarming could leave
the door unexpectedly locked or unlocked.
Alarms and access will be accessible from the keypad and from the Monitor > Bosch Intrusion Status >
Areas section of the ACM system.
Note: Keypad access will be limited by the tokens assigned to the identity.
Deleting Global Actions 335

Disarm Alarm on Access Grant with restricted authorities
Accessing an area by a valid the ACM system card access can automatically disarm an area.
To allow a scenario where entry to an area by a valid card access disarms an intrusion area based on the
badge holder's intrusion authorities, follow the steps below:
1. Create a global action to disarm an area. Action type of 'Intrusion Area', Subtype 'Primary Disarm' and
the relevant areas as the Members.
2. Create a global linkage to door access events.
l Devices tab: Door as the Type and the target doors as Members.
l Events tab: Local Grant.
l Actions tab: Disarm All.
Areas can be armed and disarmed from the keypad (depending on the tokens assigned to the identity) and
from the Monitor > Bosch Intrusion Status > Areas section of the ACM system.
Creating Global Actions and Linkages for DMP Intrusion System

An example of setting up intrusion actions and linkages is provided below.
Toggle Arming and Disarming Areas
1. Create a global action to run the Toggle: Arm / Disarm mode.

For example, enter:
l DMP Intrusion Area in Type.
l Refuse Arm in Sub-Type.
l A checkmark in Toggle: Arm / Disarm.
l In the Members box in DMP Intrusion Areas:
o Area 1 on Panel A
o Area 2 on Panel A
o Area 3 on Panel A
o Area 1 on Panel B
o Area 2 on Panel B
o Area 3 on Panel B
For more information, see Adding Global Actions on page 333.
2. Run each global action by clicking Execute on the list of global actions.
3. View the status changes on Monitor > DMP Intrusion Status:
l An Armed area becomes Disarmed.
l A Disarmed area becomes Armed.
For more information, see Monitoring and Controlling DMP Intrusion Systems on page 61.
4. To run them on a schedule, see Scheduling a Global Action on page 483.
To run them as arm or disarm events are generated, see Global Linkages - Introduction below.
Disarm Alarm on Access Grant with restricted authorities 336

Global Linkages - Introduction
Global linkages are the final step in the process that defines specific actions for triggering events at specific
doors. What separates this procedure from the Macro or Trigger features available for specific doors or
panels, is that this feature is capable of connecting many doors and inputs spread across many panels.
For example, you could lock down an entire building simply by issuing a single trigger. At a more
sophisticated level, you can use global linkages to plot a complex scenario, like a sally port or a man trap, in
which a series of doors are opened in sequence, inputs associated with those doors are sequentially masked
and unmasked, and cameras are turned on as each door is opened.
Global linkages allow you to plan a cascade of triggers and their resulting actions with only a single code
entry or command.
Adding Global Linkages

1. Select Physical Access > Global Linkages.
2. On the Global Linkage list, click Add Global Linkage.
3. Enter the required details and click .

4. Edit each tab to add the required events, devices, identities and actions.
5. Click to save your changes on each page.
Editing Global Linkages

1. Select Physical Access > Global Linkages.
2. On the Global Linkage list, click the name of the global linkage that you want to edit.
3. Edit each tab as required.
4. Click after editing each page to save your changes.
Mustering
In emergency situations, employees and other personnel in your building may be required to gather at
specific locations so emergency response teams can work quickly to ensure that everyone is safe. For
example in a fire drill you may be asked to wait at a specific spot, or muster station, until the drill is over. This
would be the same spot you would gather in an actual fire.
To help track the location of users in emergency situations, Access Control Manager offers the Mustering
feature. Mustering allows you to create a dashboard to quickly monitor who has arrived at their muster station
and who is still in danger during emergency situations.
Mustering - Requirements
To use the Mustering feature, you must configure each muster station and give users access to it in the ACM
system.
Global Linkages - Introduction 337

1. Create an area for each muster station. For more information, see Adding Areas on page 319.
2. To organize related areas together, you can combine them into groups.
3. Identify all the doors that lead to the muster station area, then make sure the correct area is assigned
to each door.
a. In the Access Control Manager software, select Physical Access > Doors.
b. Click the name of the door that should be in the area, then select the Operations tab.
c. From the Into Area drop down list, select the area the door enters into.
d. From the Out of area drop down list, select the area the door exits from.
e. Click .
4. Create an access group that includes all the doors in the muster station area.
5. Assign the access group to a role that would need access to the mustering area.
Tip: Create a role for each mustering area. If users physically move locations within an
organization, they can be easily assigned to new mustering stations without impacting their
primary role in the system.
6. Assign the role to each identity that would need access to the muster station.
Next, create a dashboard to track identities as they arrive at the appropriate muster station in emergency
situations.
Mustering - Creating a Dashboard

A Mustering dashboard is a map that contains a quick view of who has entered each muster station area.
The dashboard can be a simple list of all the Mustering areas, or it can be configured into color coded shapes
for quick identification.
You can add a dashboard to any map, or you can create a blank map to host the dashboard.
1. Select > Maps.

The Map Templates list is displayed.
2. In the Map Templates list, decide if you want to add a dashboard to an existing map or create a blank map.
l To add the dashboard to an existing map, click the name of the map you want to use.
l To create a blank map, click Add New Map Template then check the Use Blank Canvas box.
Complete the other details and click .

3. On the Map Template Edit page, click Add beside Dashboard Elements.
4. Enter a title for the dashboard element. The map automatically updates with each change that you
make.
5. Click the Title Font Color field to change the text color.
6. In the Title Font Size drop down list, select the size. The options are Small, Medium and Large.
Mustering - Creating a Dashboard 338

7. For the Opacity option, choose how transparent you want the dashboard element to be. You can
enter a percent number, or move the slider to set the opacity. 100% is opaque and 0% is transparent.
8. In the Location field, enter where you want the dashboard element to appear on the map. You can
also move the dashboard element directly on the map.
9. In the Element Type drop down list, select if you want the dashboard element to appear as Text Only
or Graphic & Text.
If you choose Graphic & Text, the following options are displayed:
a. In the Area Group/Area drop down list, select the muster area this dashboard element
represents. You can select a specific area or a group of areas.
b. From the Graphic Shape drop down list, select Circle or Square.
c. Click the Graphic Color field to change the graphic shape color.
d. For the Graphic Size option, choose how big you want the graphic to be. You can enter the size
in pixels, or use the slider to adjust the size.
To use the dashboard, see Using a Map on page 452.
Mustering - Using the Dashboard

Once you have the Mustering dashboard set up, you can monitor access to each muster station area in the
event of an emergency.

2. Select the Mustering dashboard from the Map list.
Note: Depending on how your dashboard is set up, your map may look different. Dashboard
elements may appear as a line of text or as a shape with text inside.
Each dashboard element is labeled in this format: <# people> <Area Name>. The title of each
dashboard element displays the total number of people that are in the grouped area, and listed below
the title is a list of each area within the group.
As people move from one area to the next, you can track who is still in the danger area and who has
arrived in a safe area.
3. Click a dashboard element to display a list of all the people who are in an area.
Click the name of a person on the list to go to their Identity page. The Identity Edit page will tell you the
last door and area this person accessed.

4. To generate a report of all the people in each area, select Reports > Area Identity Report.
By default, the report displays a list of identities that are in each configured area, but you can filter the
list to display only specific areas.
Mustering - Manually Moving Identities

In an emergency situation, it is hard to anticipate how people will move and arrive at their mustering stations.
If someone chooses to follow another to their mustering station and does not check-in with their badge, you
can manually set the identity as having arrived to a safe Mustering area.
Note: Confirm the location of the person before you reset their actual location in the system.
1. Select Identities. Click the name of an identity.

In the Identity Information area, the last door and area accessed by the person is displayed.
3. In the Last Area drop down list, select the specific area that the person is currently located.
4. Click .
Mustering - Manually Moving Identities 341

Managing Appliances
When you log in to the ACM application, you are accessing an appliance that is set up in your network. The
appliance configures and directs communication between all the elements in the access control system.
After you have connected your appliance to the network, you can further customize and set up your
appliance to meet your system requirements.
Editing Appliance Settings

After initial setup, you can edit the ACM system settings and set up backup and redundancy for the
appliance.

If only one appliance is managed by the system, the Appliance Edit page is displayed.
If more than one appliance is managed by the system, the Appliance list is displayed. Select the
appliance you want to edit.
2. Navigate through the following tabs to configure the appliance:
l Appliance tab: Edit system, network and storage settings, as well as shut down or restart the
appliance remotely.
l Access tab: Specify and enable the controller panel types.
l Ports tab: Specify how the Ethernet ports on the appliance are used to communicate with
access control devices, including DHCP.
l Replication tab: Set up system replication and redundancy.
l Backups tab: Set up scheduled backups for the appliance.
l Logs tab: Access the system logs.
l Software Updates tab: Update the appliance software.
l SSL Certificate tab: Configure SSL certificates used in the authentication of ACM Client users.
For more information, see Configuring Remote Authentication Using SSL Certificates on
page 411.
l About tab: View and manage licenses, and view the version numbers and End User License
Terms and Conditions.
Deleting an Appliance
Appliances may need to be deleted in certain cases. If you want to disconnect an appliance that is no longer
needed, delete it from the system before physically removing it. If you want to take an appliance that is being
used for replication or redundancy and use it as a primary appliance, the appliance must be deleted first.
Managing Appliances 342

Note: You can only delete an appliance if your system has more than one appliance.
2. From the Appliance list, click beside the appliance that you want to delete.
The selected appliance is removed from the list.
Configuring Replication and Failover

The Replication tab on the Appliance: Edit page allows configuration and monitoring of LDAP data
replication and optionally redundancy/failover of the ACM application so that monitoring and hardware
control is not lost even if an appliance fails. Only the default Admin identity can edit the appliance Replication
settings.
Important: The ACM 6 license format is different from previous versions. You will need to upgrade
your license format if you upgraded from ACM 5.12.2 to ACM 6.0.0 or later in order to add new
licenses. Replication features, including failover, will not function if your license format is not the
same on both the primary and standby appliances.
The replication feature allows two or more appliances to be set up to share a single set of LDAP configuration
data, so that the appliances can share identities and other system details. Any change made to configuration
data on one appliance is automatically copied (“replicated”) to the other appliances. This is referred to as a
“Peer to Peer” configuration. In this configuration, each appliance “owns” the hardware installed on it, and
events and status information sent from that hardware can only be viewed on the hardware owner appliance.
All panel hardware added in a replicated environment must be assigned upon creation to one of the available
Peer to Peer appliances. A panel and its subpanels cannot be split across multiple appliances, but is installed
on one of the Peer appliances.
Tip: It is recommended that replication be set up on all appliances before adding panels, other
hardware or user details to the system. After replication is configured, it is possible to configure
system hardware and identity information from one of the replicated appliances on the network
rather than having to connect directly to each individual appliance to make changes to its installed
hardware. However, it may be necessary to perform a download of the hardware configuration from
the appliance where the hardware is installed in order to update the hardware with the latest
configuration data changes made from another appliance.
Configuring Replication and Failover 343

Failover/Redundancy Feature
The failover, or redundancy, feature of replication allows a “Hot Standby” appliance to be set up to take over
control and event monitoring when the Primary appliance used in daily operations fails. This configuration is
referred to as Primary/Hot Standby. To use the failover feature, both appliances are originally configured with
Peer to Peer replication so that each appliance will share a common LDAP configuration database. The Hot
Standby appliance is then configured as such, and then will not have its own hardware or collaborations, and
will not appear in the list of replicated appliances available for assignment when these items are created.
Each Primary appliance can only be assigned one Standby appliance, but the same Standby appliance can
be assigned to more than one Primary appliance. However, if two or more Primary appliances fail at the same
time, the Standby appliance will replace the first appliance that it knows is offline (if configured for automatic
failover), and will not be available for failover of the other Primary appliances while it is standing in.
The following types of failover and failback are supported:

l Automatic failover
l Manual failover
l Manual failback
Automatic failover
Automatic failover is controlled by the Standby appliance by monitoring the health of the Primary appliance. If
a Primary appliance is found to be unresponsive by the Standby appliance within a set period of time, the
Standby appliance will automatically initiate failover of the Primary appliance and will begin to control the
hardware installed on that Primary appliance, and will begin to receive events and status from this hardware.
There are two settings that control automatic failover - Heartbeat count and Heartbeat time. The Heartbeat
count is the number of health checks the inactive hot standby appliance makes to see if the active primary
appliance is alive. If this number of failures occurs in a row, the hot standby will do an automatic failover. The
Heartbeat time is the time between health checks (regardless of if the previous check was successful or
failed).
It is not necessarily possible to calculate specifically how long it would take to failover. It is not simply a matter
of multiplying the Heartbeat count by the Heartbeat time (for example Heartbeat count of two and Heartbeat
time of 30 seconds does not necessarily mean failover in about one minute of the primary going down,
however one minute would be the best/shortest case). This is because the time it takes each check to fail
may depend on a network time-out in the case of the hot stand by machine no longer having network
connectivity to the primary machine. Typically, a worst case network time-out is approximately two minutes -
however this may possibly vary. A health check may also fail immediately depending on network
considerations/status.
It is recommended to set the Heartbeat count to at least a value of two so that a short network glitch does not
cause a premature failover. A Heartbeat count of two and a Heartbeat time of 30 seconds should typically
ensure that a failover is initiated within one to about five minutes of the primary going down.
Manual failover and failback

A manual failover can be initiated through from the Replication tab on the Appliance: Edit page on the
Standby appliance. This is usually done to test functionality or if a Primary appliance is going to be down for
scheduled maintenance.
Failover/Redundancy Feature 344

Once the Primary appliance is back online and fully functional, you can then manually initiate failback of the
Standby appliance over to the Primary appliance, which restores hardware control and event and status
reporting to the Primary appliance.
Read through all of the following procedures before configuring replication and redundancy. If any detail is
unclear, contact Avigilon Technical Support for more information before you begin.
Recommended System Architecture

System Architecture for Replication
Replication works by automatically copying the LDAP1 configuration databases from one appliance to
another. Changes made in one appliance’s database are automatically replicated to the all of the other
appliances. Replication can occur between two or more Peer to Peer appliances, or it can occur between a
Primary appliance and its Standby appliance, and a mix of both configurations is possible.
If you only have one appliance in your system, replication is not possible. In this situation, performing periodic
backups is the recommended method of ensuring appliance recovery after a failure.
When two appliances exist, they can start replicating information.
Once replication is set up, any identity or other system configuration data that is added to or edited on one
appliance is automatically copied to the other appliances. Be aware that each appliance will be responsible
for their connected panels, subpanels, and other hardware. Configuration and viewing of all system hardware
is possible from any replicated Peer appliance, but you will not be able to see the hardware status or events
from any appliance other than the one the hardware is installed on.
When more than two replicated Peer appliances exist, it is recommended that Peer to Peer replication be set
up in a mesh formation, where every Peer appliance has links (“subscriptions”) to all of the other Peer
appliances. This allows system configuration to be performed from one Peer appliance and have the details
automatically replicated to all the other Peer appliances, while providing multiple paths for this data to
replicate among the participating appliances. The exception to this is a Standby appliance, which only needs
to have replication subscriptions with its Primary appliance.
Note: Up to 99 appliances can be connected together for Peer-to-Peer replication, and this limit
includes any Hot Standby appliances in the environment.
1Lightweight Directory Access Protocol is an open, industry standard application protocol for accessing and
maintaining distributed directory information services over a network. An LDAP database in the Access
Control Manager system typically includes user details, connected hardware details, events, alarms and other
system configuration details.
Recommended System Architecture 345

System Architecture for Redundancy
Redundancy works by having a configured Hot Standby appliance automatically or manually replace a failed
Primary appliance. Redundancy requires Peer to Peer replication between the Primary and the Standby
appliances to be configured and tested first to function properly. Once this is in place, the Standby appliance
is then designated as such and the software configures it for that role.
When configured and in standby mode, the Standby appliance is essentially a blank appliance that only has
basic system settings. The Standby appliance has its own configuration for appliance related attributes such
as host name, ports, time zone (etc.), but it does not have any hardware configuration of its own. It only has
that hardware data which is replicated from the Primary appliance that owns it. When a Standby appliances
takes over for a Primary appliance, the operating system settings on the Standby appliance (such as host
name and IP address) do not change to match the Primary appliance’s settings. Instead, the applications
running on the Standby appliance begin to service the records (including doors, panels, video servers,
collaborations and so on) previously controlled by the Primary appliance. Note that this requires a different
URL for clients to be able to access the Hot Standby appliance – this is not handled automatically by the ACM
system.
If one Primary appliance (1) exists for everyday operations and one Hot Standby appliance (*) is available, set
up the Standby appliance to subscribe to and receive replicated configuration data and transactional data
from the Primary appliance. If the Primary appliance fails, the Standby can automatically step-in and maintain
daily operations.
If more than one Primary appliance exists for a Hot Standby appliance, the Hot Standby appliance still
remains separate from daily operations but must receive replicated configuration and transaction data from
all Primary appliances it is configured to failover for. Be aware that the Standby appliance can only stand-in
for one failed Primary appliance at a time.
System Architecture for Redundancy 346

If the replicated environment with multiple appliances is configured in a mesh formation for replication where
possible, but due to some physical limitation such as a Wide Area Network (WAN) being involved one or more
of the appliances is a single point of failure for propagation of replicated data, it is recommended that each of
these appliances have its own Hot Standby appliance. In the event of a failure of one of these critical Primary
appliances, the environment is guaranteed to have a Hot Standby appliance available to ensure that all
replicated Peer appliances are able to continue to synchronize configuration data amongst themselves.
Replication and Failover Requirements

WARNING — Make sure your system meets all the following requirements before you set up
replication and failover or the system may lose configured system data.

l License requirements:
o The application license agreement must be entered on all appliances. The license key is tied to
a specific machine. When using redundancy, a license and key must be separately installed on
both the Primary and Standby appliances. The license features on a Standby appliance needs
to include all the features used by the Primary appliances it may replace.
l Network infrastructure:
o DNS registered host names for each appliance in the enterprise. Each appliance must be able
to connect to the other appliance by host name. There must be static or reserved IP addresses,
proper netmask, and network gateway for each appliance.
o Name server IP address for host name resolution. All appliances must be able to resolve all of
the other appliances by host name.
o Time Server IP address or host name. All appliances must be synchronized for time and date.
This is crucial for proper replication processing. Each must utilize a time server for this purpose.
The Open LDAP multi-primary replication used by the ACM software synchronizes a LDAP
directory tree across multiple appliances. Each appliance supports read/write operations
across an enterprise system. Conflicts are handled using a timestamp to determine the most
recent record. All appliances must use a common clock base to synchronize their clocks to
ensure the conflict resolution works correctly.
Note: Time is based on UTC (Coordinated Universal Time) to ensure consistency

across the ACM system. UTC time is transferred from the client to the server when the
date/time is set.
l Defined and open TCP ports:

o Web Server Port / Replication Subscriptions Web Port (default 443). Certain replication options
require each appliance to contact each other through the web service port.
Note: The default port must be used for Allegion Schlage locks.
o LDAP Connect Port / Replication Subscription LDAP Port (should be a unique, open TCP port
that nothing else uses). This is a TCP port used for Open LDAP replication between appliances.
o Event Replication Port (default 6052). Once a Primary/Standby appliance relationship is
established, the Primary appliance will automatically transfer event transactions to the Standby
appliance so event data will be available when a failover occurs. Connectivity is required for
both Primary and Standby appliances using the Event Replication Port (this is a TCP port used
for open SSL socket communication).
o Replication Failover Port for heartbeat (default is NONE but should be a unique, open TCP port
that nothing else uses). This is a TCP port (used for open SSL socket communication) defined
on the Primary appliance only. The Standby appliance uses it to communicate with the Primary
to check its health status in order to determine if an automatic failover is required, if monitoring

is enabled on the Standby appliance.
o These ports must be open across the network between the two appliances.
l Appliance replication address. A unique numeric address number must be reserved and configured
for each appliance, starting at 1 and extending to 99 (confirm max count). These addresses need not
be in sequence.
Note: You can have up to 99 appliances connected together for replication, including any
Standby appliances configured for failover.
l Software updates. When software updates are installed, they should be installed on all appliances in a
timely manner (i.e. one after the other). Note that the appliance with address 1 should always be the
first appliance in the environment to have software upgrades applied to it, as any LDAP schema and
data changes (adding deleting system records, massaging of data) involved are performed there and
replicated out to the other appliances. The other non-address 1 appliances will not have these LDAP
schema changes applied by the upgrade, so it is essential to upgrade the address 1 appliance first.
The remaining appliances can be upgraded in any order once the address 1 appliance is back online
after its upgrade completes.
l Recommended SMTP settings. The SMTP settings configure which mail server should be contacted to
send out email and which account should be used. This is configured separately per appliance. When
the Primary and Standby appliances are physically separated, sometimes by considerable distances, it
is recommended to assign local mail servers for each. A mail server must be set up on both Primary
and Standby appliances if you want to send email notifications for failover and failback occurrences.
1. Preparing Appliances for Replication and Failover

Before you can set up replication and failover, you must set up the appliances to use the required network
infrastructure and assigned ports. For more information, see Replication and Failover Requirements on
page 347.
Setting Up the Primary Appliance

Whether you are configuring two or more appliances to replicate to each other in a Peer to Peer system, or
configuring a Primary/Hot Standby redundant failover system, designate one appliance as the replication
address 1 appliance. This appliance should not be used as a Standby appliance, and will be the first appliance
to have software updates applied to it.
1. Preparing Appliances for Replication and Failover 349

1. Log in to the appliance that will use replication address 1.
2. On the Appliance Edit page, enter values for the following fields in the Appliance tab:
l Name – An appropriate name for the appliance so that you can identify it on sight.
l Host Name – The appliance's hostname on the network.
l Name Server – The IP address of the DNS server.
l Time Server – The name or IP address of a time server that is accessible on the network. The
time on all connected appliances must be in sync. This setting is crucial for a replicated
appliance.

across the ACM system. UTC time is transferred from the client to the server when
date/time is set.
l Web Server Port – The port number for accessing the appliance web service.
l LDAP Connect Port – The port number for accessing the LDAP database on the appliance.
This port will be used by replication to update LDAP data and will be used when other
appliances are added to the replicated environment.
The appliance will automatically restart if changes are made to the above fields and saved.
Setting Up Additional Appliances

Complete this procedure for all the other appliances in your system. Besides the name and hostname, it is
recommended that if possible all other settings be the same as the primary appliance, as that will avoid
confusion on what ports are used and what network resources are used for time setting and name resolution.
1. Log in to the appliance

2. On the Appliance Edit page, enter values for the following fields in the Appliance tab:
l Appliance Name – An appropriate name for the appliance so that you can identify it on sight.
l Host Name – The appliance's hostname on the network.
l Name Server – The IP address of the DNS server.
l Time Server – The name or IP address of a time server that is accessible on the network. Use
the same value as the replication address 1 appliance if possible.

across ACM. UTC time is transferred from the client to the server when date/time is set.
l Web Server Port – The port number used for accessing the appliance web service.
l LDAP Connect Port – The port number used for accessing the LDAP database on the
appliance. Use the same value as the replication address 1 appliance if possible.
Setting Up Additional Appliances 350

3. If this is a Standby appliance, select the Hot Standby checkbox. Also, ensure that the Max Stored
Transactions setting is at least as large as the sum of this setting for all Primary appliances that the Hot
Standby will be backing up.
Note: Do not select this checkbox if the appliance will not be used as a Standby.

The appliance will automatically restart if changes are made to the above fields and saved.
2. Setting Up Replication Between Appliances

Before the appliances can automatically replicate data between themselves, you must set up each appliance
to accept replication.
Enabling Replication on the Primary Appliance

1. Log in to the appliance that is to be assigned a Replication Address of 1.

3. In the Replication tab, enter the following settings:
a. Enable Replication: select this checkbox.
b. Enable Encryption it is recommended that you select this checkbox to allow the open LDAP
servers to use OpenSSL TLS encryption when replication data is transferred between
appliances.
c. Address: enter 1 for this appliance. If multiple appliances exist in the system, each must have a
unique two digit number replication address, with this appliance being set to "1".
d. Identity Password: enter a password for securing LDAP data replication. This password should
be the same across all the appliances in the replicated environment.
e. Event Replication Port: enter a port number that will be used by this appliance to replicate data
to the other appliances. Default is 6052.
f. Other Fields in Replication Settings section: leave Initial Retry Time, Initial Retry Count, Last
Retry Time, Last Retry Count, Timeout, Network Timeout, and Keep Alive at their default values.
These will only need to be adjusted in consultation with Avigilon Technical Support to resolve
replication problems.
2. Setting Up Replication Between Appliances 351

Figure 9: Primary Replication tab
Enabling Replication on the Second Peer or Standby Appliance

Perform this procedure for all other appliances in the system.
1. Log in to the appliance.

3. In the Replication tab, enter the following settings:
a. Enable Replication: select this checkbox.
b. Enable Encryption: it is recommended that you select this checkbox to allow the open LDAP
servers to use open SSL TLS encryption when replication data between appliances.
c. Address: if you have only one secondary/standby appliance, enter 2 for the appliance. If you
have multiple appliances in your system, you must enter a number from 2 to 99. You cannot use
the same address twice for different appliances.
Note: Up to 99 appliances can be connected together for replication, including the
Enabling Replication on the Second Peer or Standby Appliance 352

primary appliance and standby appliances.
d. Identity Password: enter the same password as used in the primary appliance.
e. Event Replication Port: enter a port number that will be used to replicate data to the primary
appliance. Default is 6052.
f. Other Fields in Replication Settings section: leave Initial Retry Time, Initial Retry Count, Last
Retry Time, Last Retry Count, Timeout, Network Timeout, and Keep Alive at their default values.
These will only need to be adjusted in consultation with Avigilon Technical Support to resolve
replication problems.
Figure 10: Hot Standby Replication tab
3. Adding a Replication Subscription

Before adding a replication subscription between the two appliances, double-check to make sure the
network requirements have been met:

l The appliances are on the same network and are able to communicate with each other. Make sure the
appliances are able to ping each other by host name.
l Each appliance has a time server and a name server configured for them.
l A Web Server Port, LDAP Connect Port, and Event Replication Port are configured for the appliances.
Make sure these ports are open between the appliances.
l Replication has been enabled on both appliances. Both appliances have a replication identity
password configured for them.
l The clocks on both appliances are in sync. The current running time can be seen on the appliance
page for each appliance.
Always add the replication subscription to the first (replication address 1) appliance while logged into the
second appliance and from the Hot Standby’s Replication tab. As the second and subsequent appliances first
subscribe to and receive replicated data from the first (replication address 1) appliance, the existing LDAP
database on each subscribing appliance is overwritten by the replicated data from the first (replication
address 1) appliance, so that each subscriber appliance has its LDAP data properly initialized.
Note that this overwrite of the subscriber LDAP database only occurs when the first subscription is added on
a subscribing appliance. Subsequent subscriptions created on this subscriber appliance do not perform the
overwrite of LDAP data that the first subscription, as the database is already initialized. This is why it is
recommended that replication (and redundancy if used) is set up for each subscriber before adding
hardware, user identities or system configurations to avoid data being overwritten and lost.
Do not add the first replication subscription to the address 1 appliance, or all configured data on that
appliance will be overwritten as part of the initialization process described above.
1. Log in to the secondary or standby appliance. You must use the "admin" user name and password or
you will not be able to make changes to the Replication tab.

3. In the Replication tab, click New in the Replication Subscriptions area.
a. Host – enter the replication address 1 appliance’s host name.
b. Web Port – enter the replication address 1 appliance’s web port number.
c. Ldap Port – enter the replication address 1 appliance LDAP Connect Port value. This is highly
recommended to be the same as the LDAP Connect Port number on the current appliance.
d. Login – enter an account with the proper delegations for the default administrator identity. This
can be the admin account, or a different identity, can be used, but it must be an identity with the
proper delegations available in its role. Delegation required for this login are Appliance Repl
Subscription Add (remote), Appliance Repl Subscription Remove (remote), Appliance
Replication Update and Appliances Show.
e. Password – enter the password for the Login identity.

Figure 11: Second appliance subscribing to first appliance
The Replication Setup Process Log is automatically displayed if this is the first replication subscription. Click
the Continue button that is displayed.

Figure 12: Log file on subscribing appliance
The replication set up process includes the following:

l The subscribing appliance connects to the primary appliance and copies the entire LDAP database
from the primary.
l The replication subscription from the subscribing appliance to the primary is added to the LDAP
configuration database.
l A replication subscription from the primary to the subscribing appliance is automatically created and
added to the LDAP configuration database.
Now, complete the following tests to confirm that replication is functioning correctly.
Testing Replication
After setting up replication between a two or more appliances, complete the following procedures to confirm
that replication was set up correctly.
Checking the Appliance Replication Status
Once the Replication Subscription is complete, open a browser for each appliance that is set to replicate to
Testing Replication 356

each other.
After you have the browsers open, display the Appliance Replication page for the appliances. Confirm that
the following settings are the same for all appliances:
Note: The Status and System Entries area are only displayed if the primary and subscribing
appliance details are accessed together.
l Under the Status area, 1 and 2 are listed in the RID column. 1 should be the primary appliance and 2
should be the secondary or standby appliance. There may be other numbers listed if you have more
appliance subscriptions.
l Confirm that the date and time listed in the CSN column is the same for all appliances.
l Under the System Entries area, there should be at least one entry to show that the primary appliance
has replicated data to the other appliances.
l
When you click > Appliance, the Appliance list should be displayed and list all appliances.
Checking the Appliance Replication Status 357

Figure 13: Primary Replication tab showing status
Testing Two-Way Replication
1. Make a small change in the primary appliance. For example, update an address for an identity.
2. Access a subscribing appliance and check if you can see the change.
3. Make a small change in the subscribing appliance. For example, update an address for a different
identity.
4. Access the primary appliance and check if you can see the change.
If the changes you made appear in both appliances, then replication was set up successfully.
Testing Two-Way Replication 358

4. Setting Up Failover
Note: Do not perform this procedure until after replication has been correctly set up. This step
assumes that the checkbox for Hot Standby on the Appliance tab has been checked for the
appliance serving as the Hot Standby appliance.
1. Log in to the primary appliance. This procedure can only be performed on the primary appliance.

3. Select the primary appliance from the Appliance list.
4. In the Replication tab, enter the following settings in the Failover Settings area:
a. Standby Appliance: Select a standby appliance from the list. You can have more than one
standby appliance set up in the system, but only appliances identified as a standby will appear
on the list.
b. TCP Port: Enter the primary appliance's TCP port to communicate its health status to the
standby appliance.
c. Monitor On: Check this box to turn-on the redundancy monitor. This allows the standby
appliance to check the health of the primary appliance and automatically take over if the
primary appliance unexpectedly loses network connectivity.
d. Heartbeat Time: Enter how often, in seconds, the secondary appliance should check the health
of the primary appliance. If you leave the setting at 0, the system defaults to 60 seconds.
Note: A Heartbeat Count of two and a Heartbeat Time of 30 seconds should typically
ensure that a failover is initiated within one to about five minutes of the primary going
down. For more information, refer to Configuring Replication and Failover on
page 343.
e. Heartbeat Count: Enter the number of failures in a row before the secondary appliance takes
over for the primary appliance.
Tip: It is recommended to set this to at least two so that a short network glitch does not
cause a premature failover.

Figure 14: Primary Replication tab, with Hot Standby configured

Figure 15: Hot Standby replication tab showing Primary being backed up
Configuring Email Notifications for Replication Events

An event is logged every time a failover or failback occurs. You can configure email to be sent to one or more
email addresses whenever a failover and failback event is logged.
The events are:

l Appliance automatic failover completed—After an automatic failover to the Hot Standby appliance this
event is logged by the Hot Standby appliance when it is up and running on behalf of the Primary
appliance.
l Appliance manual failover completed—After a manual failover this event is logged by the Hot Standby
appliance after it is up and running on behalf of the Primary appliance.
l Appliance manual failback completed—After a manual failback this event is logged by the Primary
appliance after it is up and running again as the Primary appliance.
Before configuring email notifications for these events:
Configuring Email Notifications for Replication Events 361

l Set up and test the SMTP settings configured on both the Primary and Standby appliances.
l Access the Events Listing page and verify that these events are defined.
You can specify the email addresses to which notifications are sent for each event, or you can configure a
custom event type for the three events and specify the email addresses to which notifications are sent for the
event type.
1. To specify email addresses to which notifications are sent for each event:
a. Click Physical Access > Events to open the Events Listing page and search for the three
events. Tip: Search for events containing "Appliance".
b. Open the first event. The Event: Edit panel opens.
c. Enter one or more email addresses in the Email field. Separate email addresses with commas.
d. Click .
e. Repeat for the remaining events.
2. To create an event type for the three events and then specify email addresses to which notifications
are sent for the event type:
a. Click and then Event Types to open the Event Types panel.
b. Click the Add Event Type button. The Event Type: Add panel appears.
c. Enter a name for the Event type. Complete the other options as required.
d. Enter one or more email addresses in the Email field. Separate email addresses with commas.
e. Click .
f. Click Physical Access > Events to open the Events Listing page and search for the three
events. Tip: Search for events containing "Appliance".
g. Open the first event. The Event: Edit panel opens.
h. In the Event Type option, select the new event type from the drop-down list.
i. Click .
j. Repeat for the remaining events.
Removing Replication and Failover
Important: Call Avigilon Technical Support before you attempt to remove or delete the replication
and failover settings.
Depending on your system configuration, it may require careful planning before you are able to successfully
disable replication and failover on your system. To avoid possible data loss, contact Avigilon Technical
Support to help guide you through the process.
Removing Replication and Failover 362

Failing Over and Failing Back
If you've set up replication and failover, the access control system will keep running during planned or
unplanned system outages. In the event of a system outage, an appliance may go offline and fail-over to a
standby appliance that can take over regular operations until the original appliance comes back online.
In an unplanned system outage, the system will automatically failover. In a planned system outage, you can
manually failover an appliance so that the system can continue to run. Once the original appliance is ready to
come back online, you can tell the replacement appliance to failback and allow the original appliance to
resume normal operations.
Automatic Failover
If the Monitor On option is enabled in the Primary appliance's Failover Settings area on its Replication tab, the
Hot Standby appliance will automatically try to communicate with the Primary appliance periodically. If the
Primary appliance does not respond in the set amount of time, the Hot Standby appliance assumes that the
Primary appliance has failed, and automatically takes-over for the Primary appliance.
If the Monitor On option is disabled in the appliance's failover settings, the Primary appliance will simply fail
and the Hot Standby will not stand-in unless it is manually told to do so.
To check if a Primary appliance has failed-over to a Hot Standby appliance, confirm the following details:
l You are unable to connect to the primary appliance through the web browser.
l When you log in to the Hot Standby appliance, you see that the Hot Standby has started logging
hardware events on its Event Monitor screen.
Hot Standby appliances do not have any connected panels or other hardware until they take over from
a Primary appliance, so there should not be any hardware events listed on the Event Monitor screen
unless the Hot Standby appliance has stood in for its Primary appliance.
l When accessing the Appliance > Replication page on the Hot Standby appliance, it is listed as Active:
Yes beside the name of the inactive Primary appliance.
Manual Failover
If there is a planned system outage, like an appliance upgrade, you may want to have the primary appliance
manually failover to the standby appliance so that the system can continue to function while the upgrade
occurs.
In anticipation of a planned system outage, Monitor On failover option should be disabled so that a Primary
appliance does not failover until it is instructed to do so.
To manually failover an appliance, complete the following:
1. Log in to the Hot Standby appliance.

2. Access the Appliances > Replication page.
3. In the Failover Settings area, click the Take Over button beside the Primary appliance to instruct the
Hot Standby appliance to stand in for the Primary appliance.
After a few moments, the Active status will change to Yes beside the Primary appliance that the Hot Standby
has replaced and the Take Over button is replaced by the Fail Back button. Notice that once the standby
appliance has replaced an appliance, it cannot be set to take over for another Primary appliance until after it
Failing Over and Failing Back 363

has failed back to the Primary appliance that it is standing in for.
Figure 16: Hot Standby after taking over from Primary
Failback
After a failover has occurred, you can set the standby appliance to failback once the primary appliance is
ready to return to normal operations.
Failback 364
1. Log in to the Hot Standby appliance.
2. Access the Appliances > Replication page.
3. In the Failover Settings area, click the Fail Back button next to the failed over Primary appliance.
Monitoring Transactional Replication to Hot Standby

As part of the redundancy design, Postgres transactional data is replicated from a Primary appliance to its Hot
Standby appliance. This is so that if a failover of the Primary appliance occurs all of the transactional history
will be available on the Hot Standby. The status of this replication can be observed for the appliances in the
Transaction Replication Status section of the Replication tab on the Appliance: Edit page.
For the Primary appliance, this section contains information about the last row of Postgres transactional data
replicated from the Primary to its Hot Standby, including rowid of record in basetrx table (Last Trx ID), date
that transaction occurred (Last Trx Date), the last attempted replication time (Last Attempt Time), and its status
(Last Attempt Status). For the Hot Standby this information is displayed for the Postgres transactional data it
has, with transaction data displayed for the last transaction replicated to the Hot Standby for each Primary it is
backing up.
Figure 17: Primary transaction replication status
Figure 18: Hot Standby transaction replication status
Configuring Network Connections

You can set up how appliances are connected to panels and associated doors. From the Appliance Ports tab,
you can set up virtual ports and routes for each Ethernet port. You can also set up serial ports.
Configuring Ethernet Ports

Appliances can have up to eight RJ-45 Ethernet ports. These high-speed ports can be configured to connect
to a series of interlinked door controllers or panels.
Note: You cannot add or remove an Ethernet port from the appliance but you can add virtual ports.
Monitoring Transactional Replication to Hot Standby 365

To enable and configure an Ethernet port:
1. From the Appliance Edit page, select the Ports tab.

The Port list is displayed.
2. Click the name or port number from the Ethernet Ports list.
The Port: Edit page is displayed.
4. Click Save.
Note: If you assign or change the IP address, make sure that any switches or routers connected to
the appliance recognize the changed address. To do this, perform one of the following:
l Reboot the appliance.

l Unplug the Ethernet cable that is connected to the appliance, wait a few seconds, then plug it back in.
If the switch or router is not able to detect the appliance's new IP address, you may need to manually update
the switch or router. Refer to the switch or router documentation for more details.
Adding Ethernet Routes

If you prefer not to use the default Ethernet route set by the appliance, you can add a new Ethernet route for
appliance and controller panel communication.

The Port list is displayed.
2. In the right most column of the Ethernet Ports list, click Routes.
The Routes list is displayed.
3. From the Routes list, click Add New Route.
The Route Add page is displayed.
4. Complete the fields as required to define the new Ethernet route.
5. Click Save.
6. Repeat this procedure to add all the routes that are required.
Enabling Serial Ports

Each appliance includes one or more serial ports for connecting devices via RS-232 or RS-485. Serial ports
can be used to connect troubleshooting consoles or to connect panels that do not have Ethernet
connections.
To enable a serial port on an appliance:
Adding Ethernet Routes 366

1. Connect the appliance to one or more panels via the appropriate serial port.
Note the port number for each serial cable connection.
The Ports list is displayed.
3. At the bottom of the page, click the serial port you want to enable.
The Serial Port Edit page is displayed.
4. Select the Enable checkbox.
5. Complete the remaining fields as required to define the serial connection.
6. Click Save.
Backups
You can configure backup events to generate backup files of the configuration and transaction databases of
the ACM system. The backup files can be used to restore information if an appliance's configuration or
transaction data ever becomes corrupted. They are used to retain data, especially transactional data, for
regulatory purposes.
Configuration and transaction data are separately backed up. Backup events can either be scheduled on a
daily or weekly frequency, or manually started. Backup files can also be encrypted, which may be required to
protect data that is retained for regulatory purposes.
Configuration data, which includes identity information (including photographs, data, and tokens), can
generate large backup files. Backups should be generated regularly, and at the very least, following changes.
In the event of a catastrophic failure, an up-to-date configuration backup enables the ACM system to be up
and running again much faster.
Transactional data, which is generated while the ACM system is active, can be retained in backup form to
meet any applicable regulatory requirements, and can be generated to meet data retention policies.
Backing Up System Data

You can configure the appliance to back up system configuration settings and transaction event details. More
than one backup event can be created, and each backup file can be stored in a different location. You can
define a schedule for a backup event. Scheduled backups can occur at least once a week or at most once a
day at a specific time. A backup event without a schedule must be manually started.
Note: Configuration data (including tokens) and transactions data must be backed up separately.
1. From the Appliance Edit page, select the Backups tab.

2. Click Add New Appliance Backup.
The Appliance Backup: Add New page is displayed.
3. Enter a name for the back up.
Backups 367
4. Select the preferred Backup Type.
Some of the settings change to match the selected backup type.
5. From the Data Type drop down list, select Configuration or Transaction.
6. Click Browse to select where the back up files will be stored.
7. Optionally, in the Schedule area, select the days of the week when the back up will occur then enter
the preferred backup time in 24 hour format. Leave the schedule options blank for a backup that can
only be manually started.
8. Click Save.
Manually Backing Up Data

After you've set up a backup event, you can manually start a backup at any time; for example, to create a
backup of the current data before restoring an older backup.
The Appliance Backup list displays.

2. In the row for the backup you want to start, click Backup Now to start the backup.
The backup file name is generated in this format: <backup name>-<date: yyyyMMDDHHMMSS>.
Note: When you are using the Local Drive backup type, the previous backup file is
overwritten. For all other backup types, the file is added to the configured Location.
Restoring Backups
If the appliance's configuration or transaction data ever becomes corrupted, you can restore the data from a
backup.
Start with the most recent backup prior to the data being corrupted. The restored data will overwrite all the
configuration or transaction data.
Restored configuration data won't be downloaded to the panels immediately. After the backup is restored,
verify that the restored data for panels is correct. For example, identities (or door schedules, or overrides and
so on) that you deleted after the backup was created may have to be deleted again, and identities that you
added after the backup was created may have to be added again. Then, manually download the restored
verified configuration data to each panel in your system. For more information about downloading panels,
see Resetting Doors Connected to a Subpanel on page 178.
As well as restoring backups from your ACM appliance, you can restore backup files:
l From other ACM systems, or that were created using backup events that are no longer on your
system. For more information, see Restoring Backups From Other Backup Events on the next page.
Backups created in versions prior to the ACM software release 5.12.2 may not be compatible with later
Manually Backing Up Data 368

ACM releases. Contact Customer Support if you need to restore a backup from an earlier release.
l Stored on your local workstation.
To restore a backup file created on your ACM appliance (other than one created by a Local Drive backup
event that has been downloaded to the default Downloads folder of your local workstation):

The Appliance Backup list displays.
2. Click File List beside the backup that you want to restore.
3. In the far right column, click Restore beside the copy of the backup that you want to restore.
The selected file is copied to the appliance and replaces the existing configuration or transaction
information on the appliance.
Note: See Downloading All Tokens on page 310 if you have restored an ACM appliance that is
connected to a SALTO server.
Restoring Backups From Other Backup Events

You can use a backup event to restore a file created by another backup event, as long as the backup type is
the same. This can be useful if you have to restore a backup created with a backup event no longer on your
system, or from another ACM system.
Note: It is also possible to restore backups from earlier releases of ACM systems. However, backups
created in versions prior to the ACM software release 5.12.2 may not be compatible with later ACM
versions.
To restore a backup created by another backup event, you must:
1. Identify the name of the backup event used to create the backup:
a. Locate the backup file that you want to restore. The filename format is <backup event name>-
<date: yyyyMMDDHHMMSS>.
b. Note the name of backup event that is embedded in the file name.
2. In the ACM Client software:
Restoring Backups From Other Backup Events 369

a. From the Appliance Edit page, select the Backups tab.
The Appliance Backup listing page displays.
b. Rename or create a backup event with the same name as the backup event used to create the
backup file:
l To rename an existing backup event:
i. Click on the name of the plan to open the Appliance Backup: Edit page.
ii. Enter the new name for the backup event.
iii. Leave the other fields as they are.
iv. Click to save your changes.
Tip: After you have restored the backup file, rename the backup event to its
previous name if you want to continue to use it as before.
l To create a new backup event:

i. Click to add a new backup event.
ii. Enter all the details for the backup event, specifying the location of the backup
file to be restored.
iii. Click to save your changes.

3. Copy the backup file to the location specified in the back up event you will use.
4. In the ACM Client software:
a. Click File List beside the backup that you want to restore.
The Backup File List is displayed.
b. In the far right column, click Restore beside the copy of the backup that you want to restore.
Important: The name of the backup event must match the backup event name
embedded in the filename of the backup file.
c. The selected file is copied to the appliance and replaces the existing configuration or
transaction information on the appliance.
Logs
Appliance logs are automatically generated to monitor communications between panels and devices.
Accessing Appliance Logs

Appliance logs are automatically generated to monitor communications between panels and devices.
The appliance logs are automatically generated and monitor the communications between panels and
Logs 370
devices. They can be used to help diagnose appliance issues.
1. From the Appliance Edit screen, select the Logs tab.

The Logs list is displayed.
2. Click the log you want to view.
The Appliances Log page displays.
Log details are displayed in chronological order. The earliest log event is displayed at the top, and the most
recent is displayed at the bottom. The full text of the log is displayed. Each log is different because of the
different activities that are tracked by the log. The name of the Appliance and the Log file are displayed at the
top of the screen for each log.
Software Updates
Software updates are available for download and installation.
Updating the Appliance Software

Access Control Manager software updates are available for download from the Avigilon website:
avigilon.com.
Once you've downloaded the latest version of the software, you can install the update to the appliance from
any browser on the network.
1. From the Appliance Edit page, select the Software Update tab.
Report Trx backlog The count of event transactions waiting to be processed for reporting.
Report Audit The count of system and user audit events waiting to be processed for
backlog reporting.
File Name The name of the update file currently available to this appliance.
Size (Bytes) The size of the update file in bytes.
Upload Date The time and date when this update file was uploaded to the appliance.
2. Upload the latest version of the Access Control Manager software to the appliance.
a. Click Add Software Update.
b. Click Choose File and then locate the latest software file that was downloaded.
c. Click to upload the file to the appliance. It may take several minutes for the upload to
complete. Do not navigate away from the page during the upload or the upload is automatically
canceled.
3. When the software file is uploaded to the appliance, click next to the filename.
When the update is complete, the appliance will automatically reboot.
Software Updates 371

Note: When the ACM system boots up, you must save the appliance on the Appliance: Edit page to
ensure the ACM appliance reboots. You do not need to make any changes to the page prior to
clicking Save to have the reboot occur.
SSL Certificates Overview

For ACM Admin users (default is no delegation) or Super Admin users with the SSL Certificate List, SSL Certificates New, SSL Certificate
New CSR and SSL Certificate Load Cert delegations assigned to their role.
A self-signed Secure Socket Layer (SSL) certificate identifies and secures the communication between an
ACM appliance, your browser and the external services that interact with the appliance. The appliance
certificate and web client certificates will encrypt communication to ensure that only the expected receiver
can read the communication.
Update the default self-signed SSL certificate that is shipped with your ACM appliance with your certificate or
a certificate provided by your certificate signing authority. ACM allows you to create a new certificate, or
create a certificate signing request and then upload it.
Note: If you are using FIPS-certified ciphers, ensure the Use FIPS 140-2 compliant ciphers only
setting is enabled before you upload a certificate. For more information, see Enabling FIPS 140-2
Encryption on ACM Appliances on page 529.
Certificates installed on ACM may affect Allegion Schlage® lock operation, and therefore, must
comply with Allegion Schalge lock requirements. For more information, see Schlage documentation.
The default web server port in ACM must also be used. If your appliance is using a custom certificate,
Allegion Schlage Wi-Fi locks will require you to upload the proper CA certificate. For more
information, see Step 2: Setting Up Communication to Offline Wi-Fi Locks on page 293.
Supported Certificate Standards

The ACM appliance certificate supports the secure hash algorithm, SHA-384 with elliptic curve digital
signature algorithm (ECDSA). The SHA-256 with RSA algorithm is still supported for third-party certificates.
Note: To provide maximum security strength for your ACM system, ensure the certificate meets the
U.S. government's National Institute of Standards and Technology (NIST) Special Publication 800-
131A (SP 800-131A) standard.
If your ACM appliance to ACC integration deployment is having trouble connecting, review the
certificate requirements for the two systems. You may need to update the certificate on the ACM
appliance to resolve the connection issues between the two systems.
SSL Certificates Overview 372

Viewing the SSL Certificate
2. Select the SSL Certificate tab.
The current SSL certificate is displayed.
Creating an SSL Certificate

To create a self-signed SSL certificate:

3. Click New Certificate below the current certificate.
4. Enter:
Country Name The two-letter country code.
State or Province Name The name of the state or province.
Locality Name The locality, such as city.
Organization Name The name of your company.
Organization Unit Name The unit, section or department.
Common Name The hostname of the appliance.
Email Address The email address of the support contact in the company.
Subject Alternative Name The fully qualified domain name (FQDN) or a comma-separated list of
domains, such as appliance.yourorg.com,
appliance.yourorg.net.
Days Valid The number of days the SSL certificate is valid for. Range is 1-3650.
5. Click to save and then OK to confirm the certificate creation.

Your ACM appliance is rebooted automatically to complete the process.
Creating a Certificate Signing Request

To create a Certificate Signing Request:

3. Click Certificate Signing Request below the current certificate.
4. Enter:
Country Name The two-letter country code.
State or Province Name The name of the state or province.
Viewing the SSL Certificate 373

Locality Name The locality, such as city.
Organization Name The name of your company.
Organization Unit Name The unit, section or department.
Common Name The hostname of the appliance.
Email Address The email address of the support contact in the company.
Subject Alternative Name The fully qualified domain name (FQDN) or a comma-separated list of
domains, such as appliance.yourorg.com,
appliance.yourorg.net.
Days Valid The number of days the SSL certificate is valid for. Range is 1-3650.
5. Click .
6. When the Download CSR and Download Private Key links appear, click them to download both files
to your local drive.
7. Send the certificateRequest.csr file to your signing authority to obtain a signed certificate.
Note: Protect your csrPrivatekey.key file and make sure that it is accessible only to
trusted administrators.
Next, see Uploading an SSL Certificate below.
Uploading an SSL Certificate

To upload self-signed certificate files:

3. Click Load new SSL Certificate.
4. Upload your new certificate and matching key files from your local drive in the Upload SSL Certificate
and Upload Private Key fields.
5. Click to save and then OK to confirm the uploads.

Your ACM appliance is rebooted automatically to complete the process.
About Appliances page
View the ACM appliance version and licenses, and add or upgrade licenses, on the About tab in
> Appliance:
Adding a License
When you first install an ACM 6 system, you will need to license the system to use its features. Add additional
Uploading an SSL Certificate 374

licenses to access new features as required.
If you do not already have a license, purchase one from Avigilon.
Online Licensing
If you have Internet access, use online activation. Otherwise, see Offline Licensing below.

3. In the Add Licenses dialog, enter your Activation IDs.
Offline Licensing
Internet access.
In the ACM system:

3. In the Add Licenses dialog, select the Manual tab.
4. Enter your Activation IDs.
5. Click Save File... and select where you want to save the .key file. You can rename the file as
required.
In a browser:
1. Go to activate.avigilon.com.
2. Click Choose File and select the .key file.
3. Click Upload.
Important: When reactivating a site cluster, upload all the deactivation .key files first and
then the single activation .key file at last.
A capabilityResponse.bin file should download automatically. If not, allow the download to

occur when you are prompted.
4. Complete the product registration page to receive product updates from Avigilon.
5. Copy the .bin file to a computer running the ACC Client software.

In the ACM system:
1. In the Add Licenses dialog, click Choose File.

Removing a License
You can deactivate individual licenses and activate them on a different system.
Online Licensing
If you have internet access, use the following procedure. Otherwise, see Offline Licensing below.

2. In the About tab, select the checkboxes next to the licenses you want to remove.
3. Click Remove License.
4. Verify the licenses and copy the Activation IDs for your records.
5. Click Remove Licenses.
Offline Licensing
Note: You need a licensing. avigilon.com account. Contact your organization's Technical Contact for
access.
Internet access.
In the ACM system:

2. In the About tab, select the checkboxes next to the licenses you want to remove.
3. Click Remove License.
4. Verify the licenses and copy the Activation IDs for your records.
5. Select the Manual tab.
6. Click Save File... and select where you want to save the .key file.
In a browser:
Removing a License 376

a. Go to activate.avigilon.com.
b. Click Choose File and select the .key file.
c. Click Upload.
Important: When reactivating a site cluster, upload all the deactivation .key files first
and then the single activation .key file at last.
A capabilityResponse.bin file should download automatically. If not, allow the download

to occur when you are prompted.
d. Complete the product registration page to receive product updates from Avigilon.
e. Copy the .bin file to a computer running the ACC Client software.
1. In the success message, click here to download the license file capabilityResponse.bin.
2. Copy the .bin file to a computer running the ACM system.

In the ACM system:
1. In the Add Licenses dialog, click Choose File

3. Click Remove Licenses.
Upgrading Your License Format

The ACM 6 license format is different from previous versions. If you upgraded from ACM 5.12.2 to ACM 6.0.0
or later, you will need to upgrade your license format in order to add new licenses. Do not add any new ACM
6 licenses until you have upgraded your old licenses.
Note: If your system is licensed for more than the maximum number of readers, you will not be
eligible for an upgrade license. You can continue using your existing system, or contact sales to add
more features.
If you do not upgrade your license format, you can continue to use your existing features. However, you will
not be able to license new features.
Important: If you use the replication and failover features of the ACM system and you choose to
upgrade the license format you must upgrade the license format on both the primary and standby
ACM appliances. Replication features, including failover, will not function if the license format is not
the same on both appliances. Complete the following steps on both appliances.

2. In the About tab, click Download Upgrade File.
3. Email the .bin file to acm.license@avigilon.com. You will receive a response in 1-2 business days with
an Activation ID for each feature you have. You can continue to use the ACM appliance during this
time.
4. After you receive the Activation IDs, follow the procedure in Adding a License on page 374. You will
only need to enter one of the Activation IDs to automatically license the system for all features your
device is entitled to.
Viewing the End User License Agreement

Follow the steps below to view the End User License Agreement:

2. In the About tab, click View End User License Agreement Terms and Conditions.
3. Click Back to return to the Appliance: Edit page.
About Appliances page

View the ACM appliance version and licenses, and add or upgrade licenses, on the About tab in
> Appliance:
Appliance Name The name of the appliance.

Application Software Version The current software version running on the appliance.
Database Version The current database version running on the appliance.
End User License Agreement Whether the terms and conditions have been accepted.
Status
View End User License Agreement Click to review the software end user license agreement.
Terms and Conditions
Licenses
Add License Click to add licenses to the system.
Remove License Click to remove licenses from the system.
Counts The number of readers, panels, wireless locks, and ACM system
integrations that are licensed to the appliance.
External Systems The external vendors that are licensed to run with the appliance.
Collaborations The external information sources that are licensed for the import and
export of ACM identity information.
Options The features the appliance supports.
Viewing the End User License Agreement 378

Managing Collaborations
Connect, customize and set up your appliance to meet your system requirements. Possible functions include:
l Pulling identity information from an external database to populate identity fields in the Access Control
Manager.
l Pushing identities and events from the Access Control Manager to third-party applications such as
video management software.
Note: Any date fields in Collaboration files (e.g. Last Access, Expire Date, Activate Date, Issue
Date) will display as blank if there is no information recorded for that field. The Force Password
Change field does not apply to collaborations.
Adding a Collaboration
For the types of collaboration available in the ACM application, see Supported Collaborations on page 387.
To add a collaboration:
1. Select > Collaboration.

The Collaborations list appears.
2. Click Add Collaboration.
The Collaboration Add New page appears.
3. Fill out the Name, Appliance and Type fields. Depending on the type of collaboration selected,
additional fields will display.
4. Select the Installed checkbox to enable the collaboration.
5. Complete the remaining fields as required. The fields will vary depending on the collaboration type:
Collaboration type Additional fields
Events - Generic XML; Events - Splunk Host; Port Number; Require TCP
Managing Collaborations 379

Identity CSV Export Partitions (if configured); Partitions to Export (if
configured); Include Primary Photo; Include Roles;
Location Type; and for SCP or Windows Share
only: Host, Port Number, User Name, Password,
Location, Domain Name (Windows Share only)
Note: Only one Local Drive Identity CSV

Export collaboration is allowed. You can
update the definition of the existing
collaboration, or replace it with a new one
by manually deleting the existing one and
adding a new one. For more information,
see Deleting a Collaboration on
page 391.
Identity CSV one-time Long format Delimiter; Text Qualifier; Date Format; CSVFile
Identity CSV one-time Short format CSVFile
Identity CSV Recurring Include Primary Photo; Location Type; Host; Port
Number; User Name; Password; Location;
Delimiter; Text Qualifier; Date Format; Domain
Name (Windows Share)
Identity LDAP pull Host; Bind DN; Password: Port Number; SSL,
Validate Certificate
Identity Oracle RDBMS pull Host; User Name; Instance; Port Number;
Password
Identity SQL Server pull Host; User Name; Database; Port Number;
Password
Note: Ensure any individual images to be

imported are not over 1MB.
6. Click Save.
The Collaboration: Edit screen appears.
7. Navigate through the tabbed pages and fill out the details as required.
8. Click Save.
Adding a Collaboration 380

Adding an Events XML Collaboration
Note: The ACM license, AC-SW-LIC-XML, is required to enable this feature.
To add an Events XML collaboration:

2. Click Add Collaboration.
The Collaboration: Add page appears.
Name Name for the collaboration.
Appliance Select the appropriate Appliance, if more than one appliance is
available.
Type Select Events – Generic XML.
The following additional fields display once the type is selected:
l Host
l Require TCP
l Port Number
Installed Select this checkbox to enable the collaboration.
Host IP address of the XML receiver.
Require TCP Select this checkbox.
Port Number TCP port relating to the Host IP address.
4. Click Save.
The message 'Collaboration entry was successfully created' displays on the Collaboration: Edit screen.
5. Click the Events tab.
Schedule Select a Schedule for when the XML events collaboration will be
active.
Send Acknowledgments Select this checkbox to include acknowledgments.
Send Clears Select this checkbox to include clears.
Send Notes Select this checkbox to include notes created by Alarm Monitor
operators when processing alarms.
Adding an Events XML Collaboration 381

7. Select the desired event types to be included in the XML data feed from the Available list and move
them to the Members list.
Note: Hold the SHFT key down and select the first and last entries to select multiple
consecutive entries. Hold the CTRL key down to select multiple non-consecutive entries.
8. Click Save.
Collaborations - Events XML Definitions

Definitions for the individual attributes of the XML events stream are noted below:
To see a typical example, refer to Collaborations - Events XML Example on page 385.
XML Definition
<plasectrxGatewayDN> An internal reference for the ACM appliance that
cn=544de4aa06914073,ou=gateways this XML came from.
,dc=plasec
</plasectrxGatewayDN>
<cn>38901f4a95d14013</cn> The unique row identifier for this particular event.
Corresponds to the ID column in the history tables.
<plasectrxRecdate>20140610055028-0700 Time the event was logged into the ACM system
</plasectrxRecdate> history – adjusted for ACM local time.
<plasectrxPanel date>20140610085028-400 The UTC time the event actually happened. It is the
</plasectrxPanel date> timestamp of the event being reported up from the
field hardware. Adjusted for field hardware local
time.
<plasectrxRecdateUTC>20140610125028Z Time the event was logged into the ACM system
</plasectrxRecdateUTC> history.
<plasectrxPanel dateUTC>20140610125028Z The UTC time the event actually happened. It is the
</plasectrxPanel dateUTC> timestamp of the event being reported up from the
field hardware.
<plasectrxLastacc> Last Access time and date of the Token that is
19700101000000Z</plasectrxLastacc> associated with this event. Example – the last
recorded valid access of the card that was used at
a door causing a ‘Local Grant’ event.
<plasectrxEvtypename> ACM event type category for this event.
Intrusion</plasectrxEvtypename> Corresponds to one of the event types defined in
the ACM system in Settings: Event Types.
<plasectrxBackgroundColor> Color assigned to the event background color (if
</plasectrxBackgroundColor> any) for display in the ACM monitor.
<plasectrxForegroundColor> Color assigned to the event foreground color (if
</plasectrxForegroundColor> any) for display in the ACM monitor.

XML Definition
<plasectrxAckBackgroundColor> Color assigned to the event background color (if
</plasectrxAckBackgroundColor> any) for display in the ACM monitor. This color
corresponds to an ‘acknowledged alarm’ on the
Alarms page.
<plasectrxAckForegroundColor> Color assigned to the event foreground color (if
</plasectrxAckForegroundColor> any) for display in the ACM monitor. This color
corresponds to an ‘acknowledged alarm’ on the
Alarms page.
<plasectrxEventname> Name of the event. Corresponds to one of the
Input point in alarm events defined in the ACM system in Physical
</plasectrxEventname> Access: Events.
<plasectrxPanel name>elevator test Name of the panel that the event originated from.
</plasectrxPanel name>
<plasectrxSourcename> Name of the source of the event.
Input on subpanel 0 Address 1
</plasectrxSourcename>
<plasectrxSourcelocation> Location of the source of the event, as defined in
</plasectrxSourcelocation> the ‘Location’ field on the various hardware
property pages.
<plasectrxSourcealtname> Applies to doors only - if the event source is a door,
</plasectrxSourcealtname> this is the Alt. Name as defined on the Door
properties Configuration tab.
<plasectrxPointaddress> A reference number for the event e.g. ‘Input point
750</plasectrxPointaddress> in alarm’.
<plasectrxPointDN> This is the LDAP dn of the ‘Input point in alarm’
cn=750,ou=points,dc=plasec event, for lookup during ACM processing.
</plasectrxPointDN>
<plasectrxEvtypeaddress>5 This is a reference number for the event type e.g.
</plasectrxEvtypeaddress> ‘Intrusion’.
<plasectrxSourceDN> LDAP dn of the source of the event, used in ACM
cn=100,cn=0,cn=9,ou=panels, processing.
cn=544de4aa06914073,ou=gateways,
dc=plasec
</plasectrxSourceDN>
<plasectrxSourcetype>40 An internal reference to the type of hardware the
</plasectrxSourcetype> event source belongs to. Defines what type of
hardware produced the event – an input point in
this case.
<plasectrxOperatorname> the ACM system operator that is associated with
</plasectrxOperatorname> certain events e.g. an audit event for a record
updated by an the ACM system user.

XML Definition
<plasectrxPri>10</plasectrxPri> Priority of the event, as defined on the Event
properties page.
<plasectrxMsg></plasectrxMsg> Contents of the ‘Message’ column in the Monitor
e.g. the raw card data from an ‘Invalid Card Format’
event.
<plasectrxIdentityDN> The LDAP dn of the identity associated with the
</plasectrxIdentityDN> event. Example – the dn of the identity that used
their card at a door causing a ‘local grant’ event.
<plasectrxCardno>0 Internal number of the token that is associated with
</plasectrxCardno> this event. Example – the card number that was
used at a door causing a ‘local grant’ event.
<plasectrxEmbossedno> Embossed number of the token that is associated
</plasectrxEmbossedno> with this event. Example – the card number that
was used at a door causing a ‘local grant’ event.
<plasectrxLname> Last name of the identity associated with the event.
</plasectrxLname> Example – the last name of the identity that used
<plasectrxFname> First name of the identity associated with the event.
</plasectrxFname> Example – the first name of the identity that used
<plasectrxMi></plasectrxMi> Middle name of the Identity associated with the
event. Example – the middle name of the identity
that used their card at a door causing a ‘local grant’
event.
<plasectrxIssuelevel>-1 Issue level of the token that is associated with this
</plasectrxIssuelevel> event. Example – the issue level of the card that
was used at a door causing a ‘local grant’ event.
<plasectrxFacilityCode>0 Facility code of the token that is associated with
</plasectrxFacilityCode> this event. Example – the facility code of the card
that was used at a door causing an ‘invalid facility
code’ event.
<plasectrxExpiredat> Deactivate date of the token that is associated with
19700101000000Z this event. Example – the deactivate date of the
</plasectrxExpiredat> card that was used at a door causing a ‘local grant’
event.
<plasectrxActivdat> Activate date of the token that is associated with
19700101000000Z this event. Example – the activate date of the card
</plasectrxActivdat> that was used at a door causing a ‘local grant’
event.
<plasectrxIssuedat> Issue date of the token that is associated with this
19700101000000Z event. Example – the issue date of the card that
</plasectrxIssuedat> was used at a door causing a ‘local grant’ event.

XML Definition
<plasectrxHasCamera>0 Indicates whether the event has a camera view
</plasectrxHasCamera> associated with it. Used in the monitor to display
the camera icon for an event with a camera
association.
<plasectrxHasNotes>0 Indicates whether there are any notes available for
</plasectrxHasNotes> this event.
<plasectrxHasSoftTriggerSet>0 Indicates whether there is a soft trigger associated
</plasectrxHasSoftTriggerSet> – currently this applies to Exacq video integration
only.
<plasectrxShowVideo>0 Indicates whether the event is optioned to show
</plasectrxShowVideo> pop-up video of an associated camera.
<plasectrxSeqno>0 Not used.
</plasectrxSeqno>
<plasectrxIsAlarm>1 Indicates whether this event is also defined as an
</plasectrxIsAlarm> alarm. Alarms appear on the Monitor: Alarms page.
Collaborations - Events XML Example

Shown below is an example of a typical 'input point in alarm' XML events stream:
<EVENT>
<plasectrxGatewayDN>cn=544de4aa06914073,ou=gateways,dc=plasec</plase
ctrxGatewayDN>
<cn>38901f4a95d14013</cn>
<plasectrxRecdate>20140610055028-0700</plasectrxRecdate>
<plasectrxPanel date>20140610085028-0400</plasectrxPanel date>
<plasectrxRecdateUTC>20140610125028Z</plasectrxRecdateUTC>
<plasectrxPanel dateUTC>20140610125028Z</plasectrxPanel dateUTC>
<plasectrxLastacc>19700101000000Z</plasectrxLastacc>
<plasectrxEvtypename>Intrusion</plasectrxEvtypename>
<plasectrxBackgroundColor></plasectrxBackgroundColor>
<plasectrxForegroundColor></plasectrxForegroundColor>
<plasectrxAckBackgroundColor></plasectrxAckBackgroundColor>
<plasectrxAckForegroundColor></plasectrxAckForegroundColor>
<plasectrxEventname>Input point in alarm</plasectrxEventname>
<plasectrxPanel name>elevator test</plasectrxPanel name>
<plasectrxSourcename>Input on subpanel 0 Address

1</plasectrxSourcename>

<plasectrxSourcelocation></plasectrxSourcelocation>
<plasectrxSourcealtname></plasectrxSourcealtname>
<plasectrxPointaddress> 750</plasectrxPointaddress>
<plasectrxPointDN>cn=750,ou=points,dc=plasec</plasectrxPointDN>
<plasectrxEvtypeaddress> 5</plasectrxEvtypeaddress>
<plasectrxSourceDN>cn=100,cn=0,cn=9,ou=panels,cn=544de4aa06914073,ou
=gateways,dc=plasec
</plasectrxSourceDN>
<plasectrxSourcetype>40</plasectrxSourcetype>
<plasectrxOperatorname></plasectrxOperatorname>
<plasectrxPri>10</plasectrxPri>
<plasectrxMsg></plasectrxMsg>
<plasectrxIdentityDN></plasectrxIdentityDN>
<plasectrxCardno> 0</plasectrxCardno>
<plasectrxEmbossedno></plasectrxEmbossedno>
<plasectrxLname></plasectrxLname>
<plasectrxFname></plasectrxFname>
<plasectrxMi></plasectrxMi>
<plasectrxIssuelevel> -1</plasectrxIssuelevel>
<plasectrxFacilityCode>0</plasectrxFacilityCode>
<plasectrxExpiredat>19700101000000Z</plasectrxExpiredat>
<plasectrxActivdat>19700101000000Z</plasectrxActivdat>
<plasectrxIssuedat>19700101000000Z</plasectrxIssuedat>
<plasectrxHasCamera>0</plasectrxHasCamera>
<plasectrxHasNotes>0</plasectrxHasNotes>
<plasectrxHasSoftTriggerSet>0</plasectrxHasSoftTriggerSet>
<plasectrxShowVideo>0</plasectrxShowVideo>
<plasectrxSeqno>0</plasectrxSeqno>
<plasectrxIsAlarm>1</plasectrxIsAlarm>
</EVENT>
For definitions of the individual attributes, refer to Collaborations - Events XML Definitions on page 382.

Editing a Collaboration
To edit an existing collaboration:

2. Click on the name of the collaboration you want to edit.
The Collaboration Edit screen appears.
3. Navigate through the tabbed pages and make the required changes.
4. Click Save.
Supported Collaborations
Note: Up to 32 collaborations—in any combination by Type or Installed status—are supported by an

ACM appliance.
The types of collaboration available in the ACM application include:
Type Description
Identity
Identity CSV Export identities, photos, tokens, groups, and roles to a CSV file.
Export
Note: Only one Local Drive Identity CSV Export collaboration is allowed.
Identity CSV One- Import identities, tokens, groups, roles from a CSV file manually and keep the Access
time Long format Control Manager identity database in sync with changes.
Identity CSV One- Import identities, tokens, groups, roles from a CSV file manually and keep the Access
time Short format Control Manager identity database in sync with changes.
Identity CSV Import identities, photos, tokens, groups, and roles from an updated CSV file and keep
Recurring the Access Control Manager identity database in sync with changes.
Identity LDAP pull Pull identities, tokens, groups, roles from a directory store and keep the Access
Control Manager identity database in sync with changes.
Editing a Collaboration 387

Type Description
Identity Oracle Pull identities, tokens, groups, roles from a Oracle RDBMS store and keep the Access
RDBMS pull Control Manager identity database in sync with changes.
Identity SQL Pull identities, tokens, groups, roles from a Microsoft SQL Server RDBMS store and
Server pull keep the Access Control Manager identity database in sync with changes.
Note: Ensure any individual images to be imported are not over 1MB.
Events
Events - Generic Transmit events in real time using XML.
XML
Events - Splunk Produces messages in Splunk format. Splunk is a log aggregation product.
Note: The maximum file size recommended for unzipped information is 25GB. This maximum
equates to approximately 12,500 identities if each identity has a 2MB photograph, or 6,250 identities
if each identity has a 4MB photograph.
Running a Collaboration
To run a collaboration:

2. Click from the Run column next to the collaboration you want to run.
Allow more time for the collaboration to run if you are using the SCP or Windows Share location type.
Running the Local Drive location type is faster because network performance is not a consideration.
4. View the ACM identity and token information as follows:
Note: The maximum file size recommended for unzipped information is 25GB. This maximum
equates to approximately 12,500 identities if each identity has a 2MB photograph, or 6,250
identities if each identity has a 4MB photograph.
Running a Collaboration 388

l For previews of Identity CSV Recurring, Identity LDAP pull, Identity Oracle RDBMS pull and
Identity SQL Server pull collaborations in the general log, see Previewing the General Identity
Collaboration Log below.
l For exports to SCP or Windows Share network locations, view the files (unzipped) in the
location specified in the collaboration.
l
For exports to Local Drive, click when it appears and view the contents of the zipped CSV
export file. See Extracting a CSV Zip File on the next page.
Previewing the General Identity Collaboration Log

You can click the Preview icon to view the general log for identity collaborations that were run, when each
collaboration was started, how long each collaboration took to complete in minutes, the number of identities
that were exported and the compression level (deflate format) of each item. Recent entries are shown at the
top of the log, and older entries at the end of the log. For information about accessing the individual logs, see
Accessing Appliance Logs on page 370.
The general identity collaboration log can be previewed for these types of collaborations:
l Identity CSV Recurring
l Identity LDAP pull
l Identity Oracle RDBMS pull
l Identity SQL Server pull
The following examples show an Identity CSV Export to Local Drive collaboration and a previewed log in the
Identity Collaboration Log....
Figure 19: Example of two collaborations that were run and completed
20191024-010540 collab_idfile:<Vancouver Appliance> 2019 10/24 01:05:40-0700 *******************STARTING COLLABORATION

RUN.*******************
20191024-010540 collab_idfile:<Vancouver Appliance> Running Export Collaboration...
====================================
Started at: 2019-10-24 01:05:56 -0700
Finished at: 2019-10-24 01:13:59 -0700
Total timing: 483.713355605
Total Identities Exported: 10106
====================================
adding: ACM_identity_export.csv (deflated 81%)
adding: ACM_manifest.yml (deflated 58%)
adding: photos/ (stored 0%)
adding: photos/caa41a44-8a46-1039-8dbe-7178c5f2b90a.jpg (deflated 0%)
adding: photos/51a4f380-8a45-1039-92bf-7178c5f2b90a.jpg (deflated 2%)
...
Previewing the General Identity Collaboration Log 389

20191024-073545 collab_idfile:<Vancouver Appliance> 2019 10/24 07:35:45-0700 *******************ENDING COLLABORATION
RUN.*******************
*******************STARTING COLLABORATION RUN.*******************
20191024-083545 collab_idfile:<Vancouver Appliance> Running Export Collaboration...
====================================
Started at: 2019-10-24 08:36:05 -0700
Finished at: 2019-10-24 08:44:13 -0700
Total timing: 487.375753767
Total Identities Exported: 10106
====================================
adding: ACM_identity_export.csv (deflated 81%)
adding: ACM_manifest.yml (deflated 58%)
adding: photos/ (stored 0%)
...
Figure 20: Example of a previewed collaboration
20191029-213702 collab_idfile:<Vancouver Appliance 5> 2019 10/29 21:37:02+0000 *******************STARTING COLLABORATION

RUN - preview only mode.******************
20191029-213702 collab_idfile:<Vancouver Appliance 5> Obtaining input file(s)...
Transfer using NAS - CIFS
...
20191031-000839 collab_idfile:<Vancouver Appliance 5> 2019 10/31 00:08:39+0000 *******************ENDING COLLABORATION

RUN - preview only mode.*******************
Extracting a CSV Zip File

To extract a zipped comma delimited (CSV) file that contains exported ACM identities and tokens:
Note: The 7-Zip tool is recommended for extracting zipped CSV export files larger than 4GB. The
maximum file size recommended for unzipped information is 25GB. This maximum equates to
approximately 12,500 identities if each identity has a 2MB photograph, or 6,250 identities if each
identity has a 4MB photograph.

2. Click next to Local Drive for the collaboration that was run.
3. The collaboration_name-yyyymmddhhmmss.zip file is downloaded to the local drive on an
Extracting a CSV Zip File 390

ACM appliance. The hh value is specified in 24-hour format.
4. Extract and examine the contents:
l photos folder contains the photographs of the exported identities.
l ACM_manifest.yml provides:
o source: The name of the appliance.
o software version: The version of the ACM software.
o db_version: The version of the ACM, LDAP or appliance configuration database.
o assets: ACM_identity_export.csv: The identifier of the CSV export file.
l ACM_identity_export.csv spreadsheet provides exported ACM identity and token
information in columns A through AL. See the following sample:
l Note: The VIP column refers to the anti-passback (APB) setting.
Deleting a Collaboration
To delete an existing collaboration:

The Collaboration list appears.
2. Click beside the collaboration that you want to delete.

Assigning an Event Type to a Collaboration

To assign an event type to a collaboration:

2. From the Collaboration list, click on the name of the collaboration you want to edit. It must be an Event
collaboration type.
The Collaboration Edit screen appears.
3. Select the Events tab.
4. From the Available list, select all the events you want to transfer, then click .
The event is added to the Members list to show that it is now assigned.
To remove an event from the collaboration, select the event from the Members list, then click .
Deleting a Collaboration 391

Note: You can select multiple events by using the Ctrl or Shift key.
5. Click Save.
Assigning an Event Type to a Collaboration 392

Setup & Settings
Click or hover over in the upper-right corner to:

l Appliance — Connect, customize and set up your appliance to meet your system requirements. For
more information, see Managing Appliances on page 342.
l Collaboration — Set up and manage collaborations which exchange data with third-party databases
and applications. For more information, see Managing Collaborations on page 379.
l Schedules — Configure when a door is accessible, when a card is valid, or when a device is activated.
l Holidays — Configure dates when normal rules are suspended in schedules.
l Event Types — Configure event types and instructions on how to handle the event generated in the
ACM system. For more information, see Event Types - Introduction on page 400.
l User Forms — Customize the identity and tokens tabs or create additional ones, and then assign them
to ACM operators. For more information, see User Forms Overview on page 403.
l User Fields — Add additional fields for enrolling identities. For more information, see User Defined
Fields - Introduction on page 406.
l User Lists — Add additional drop-down option lists for enrolling identities. For more information, see
User Lists - Introduction on page 409.
l System Settings — Configure system settings such as language, token expiration time, required
password strength and more. For more information, see System Settings - Introduction on page 410.
l Paired Devices — Generate a one-time key to connect a browser-enabled device, such as a
smartphone, to a door configured as an ACM ACM Verify station so that it can function as a Virtual
Station. For more information, see Paired Devices on page 278.
l Certificates — Mercury controllers only. Add custom certificates for panel and ACM authentication.
l Badge Designer — Customize a badge template for badge holders. For more information, see Badge
Templates and the Badge Designer on page 422
l External Systems — Set up integration to cameras, sites and other third-party external systems. For
more information, see External Systems Overview on page 429.
l Maps — Import maps of your facility and populate them with door, panel, subpanel, input, output,
camera and global action alarm points that can be monitored. For more information, see Maps -
Introduction on page 450.
Schedules and Holidays Overview

Schedules
A schedule controls when a door setting is active. For example, you can apply a schedule to a group of users
and secured doors to grant and deny access to the days and times specified in the schedule.
A door can be assigned an 'unlock schedule', which specifies a period of time when no credential is required
to access the door. All users have free access during the 'unlock schedule' period. Likewise, a device may be
assigned an 'active schedule', a period during which the device is in operation.
Setup & Settings 393

You can also create a holiday list to manage access during holidays or special days when the building is
closed. Before you can create a schedule to handle special occasions, you must set up the holiday list.
For more information, see:

l Searching for Schedules below
l Adding Schedules (Intervals in Schedules) on the next page
l Editing Schedules on page 397
l Deleting Schedules on page 397
When a panel is not operating as expected, see Panel Events on page 526 for troubleshooting instructions.
Holidays
Holidays are special days in the year when the standard schedule does not apply or a different entry and exit
pattern is observed. New Year's Day and National Day are examples of holidays. The Access Control
Manager is designed to accommodate a large number of diverse holidays.
Note: Holidays are set for a specific day in the year. You need to update the system holidays each
year.

l Adding Holidays on page 397
l Editing Holidays on page 398
l Deleting Holidays on page 398
l Examples on page 398
Searching for Schedules

View all the schedules that have been configured in the ACM system on the Setup & Settings >
Schedules page.
1. Select Name, Mode or Partitions in Search Field.

To remove a single criteria row, click Remove.
4. Click Search.
Holidays 394
Name The name of the schedule.
Click the name to edit the schedule.
Mode The mode of the schedule.
l ON – The schedule is constantly on. You do not need to set
specific dates or times for the schedule.
l OFF – The schedule is constantly off.
l SCAN – The schedule follows the date and time set in the
checkboxes.
Delete
Click to delete the schedule.
Add Schedule Click the button to create a new schedule.
Create New Report Click the button to generate a report of all the schedules in the system.
Adding Schedules (Intervals in Schedules)

1. Select > Schedules.
The two default 24 Hours Active (ON) and Never Active (OFF) schedules cannot be deleted.
2. Click Add Schedule.
3. Enter a name for the schedule in Name.
4. Edit the Advanced Schedules field, if needed: The checkbox is checked by default for new schedules
and any existing schedules that were previously configured using the advanced capability (at time of
initial release of the field).
l If checked, you can apply different selections of holidays to the intervals in the schedule. (The
page refreshes and displays columns of holiday checkboxes.)
l If unchecked, you can apply the same selection of holidays to the schedule itself. (The page
refreshes and displays a single row of holiday checkboxes.)
Note: The Advanced Schedule option is not supported for ASSA ABLOY IP doors.
5. Select the schedule mode:

l
ON – The schedule is constantly on. You do not need to set specific dates or times. Click
to save the new schedule.
l
OFF – The schedule is off. Click to save the new schedule.
l SCAN – The schedule follows a weekly, monthly or shift rotation and includes any holidays.
One interval is represented by one row of checkboxes.

For SCAN mode:
a. Click the days of the week (Sun - Sat) and any applicable holiday ( 1 - 8) in each of the
applicable rows.
b. Enter the start (Active is inclusive) and end (Inactive is exclusive) time in 24-hour clock
format and avoid overlapping times.
Example: A day shift from 08:00 - 19:59 and a night shift from 20:00 - 07:59.
No conflict occurs when the actual start time is 08:00:00 and the actual end time is
19:59:59 for the day shift; and the actual start time is 20:00:00 and the actual end time is
07:59:59 for the night shift.
For more examples, see Adding Holidays on the next page and Examples on page 398.
Note: For Mercury Security and ASSA ABLOY IP-enabled doors, the limit is 255
schedules. For Schlage IP/PoE mode doors, the limit is 16 intervals in all
schedules combined. For SALTO doors, the limit is 1024 schedules.
c. Click to save the new schedule.

6. Select Roles > Access Groups and click Add Access Group to select the schedule and the doors.
Note: SALTO doors only. If a door is linked to a zone in the SALTO system, do not assign the
access group a schedule that is less than five minutes in duration in the Active and Inactive
fields.
For more information, see Adding an Access Group on page 112.

7. Select Roles > Roles and select the role. Click the Access Groups tab and assign the access group
to a role.
For more information, see Assigning an Access Group to a Role on page 89.

Editing Schedules
2. Click the name of the schedule.
3. Edit the schedule as required.
Tip: If a message indicates the Advanced Schedule option cannot be enabled when saving,
do any of the following:
l Save the schedule without Advanced Schedule selected. Some doors only support
basic schedules.
Deleting Schedules
Note: When you delete a schedule that is currently used (such as by a door, panel or interlock), all
references to the deleted schedule are replaced by the Never Active schedule.

2. Click beside the schedule you want to delete.
Adding Holidays
1. Select > Holidays.
2. Click Add Holiday.
3. Enter a name for the holiday in Name.
4. Enter the specific date of the holiday.
Note: For a recurring holiday, create a holiday for each future year.
5. If the holiday spans more than one day, fill out the Additional Days field.
Default setting is 0 for a one-day holiday.
Example: If 01/01/2020 is the date of the holiday and 2 additional days are specified, the holiday
period is January 1, 2 and 3.
Editing Schedules 397

6. Select the number corresponding to the Type of holiday. (The holiday type number allows you to
group specific types of holidays together.)
Note: Up to 3 types of holiday groups are supported for SALTO doors.
7. Click the Preserve schedule days checkbox to specify that only the holiday schedule be activated on
the date of the holiday. Leave unchecked if all other schedules are to be activated on the same date.
The holiday must be assigned to a schedule to control any door settings.
Note: If two holidays on the same date are added with different settings in this field (one is
checked and the other is not checked), the settings of the last holiday added takes effect.
Note: Not applicable for SALTO doors.
8. Click to save the new holiday.
Editing Holidays
2. Click the name of the holiday you want to edit.
3. Edit the information about the holiday as required.
Deleting Holidays
2. On the Holiday list, click for the holiday you want to delete.
Examples
Noted below are two examples of setting up holidays and schedules.
Example 1: Part-Day Holiday

All staff are attending an afternoon team function on December 18th, with work finishing at noon. On the 18th
the doors need to unlock from 8 a.m. to noon, with access by Card Only mode after noon. The regular
schedule for Monday to Friday is for the doors to open from 8 a.m. to 5 p.m.
Editing Holidays 398

2. On the Holiday list, click to add a new holiday.
3. On the Holiday: Add page, enter:
l Name (for example, Company Half Day).
l Date (for example, 12/18/2020).
l Type (for example, 8).
4. Click to save.

6. Select the regular schedule on the Schedules list.
7. Click the Advanced Schedule checkbox to remove the default checkmark. The columns of holiday
checkboxes are replaced by a single row of holiday checkboxes that supports a basic schedule.
8. On the first available free line (representing an interval in the schedule), enter 08:00 as the Active
time and 11:59 as the Inactive time.
9. Click the checkbox for the Type selected in step 3 above (for example, 8).
10. Click to save.
Tip: To apply an advanced schedule that supports different holidays for intervals in a schedule,
make sure the Advanced Schedule checkbox is selected. For example, if afternoon team functions
are held over two weeks on a Thursday and Friday (10th and 18th), add the two holidays (10th and 18th
with 7 and 8 types, respectively) and then enter checkmarks for Thu and 7 in one row and Fri and 8
in another row. Save the schedule.
Example 2: Additional Access Time

A special delivery is scheduled for December 20th, requiring additional access time from 8 p.m. to midnight.
To create the additional access time without impacting the regular daily schedule, the Preserve schedule
days option can be used. This option allows you to set separate access schedules for the same day.

2. On the Holiday list, click to add a new holiday.
3. On the Holiday: Add page, enter:
l Name (for example, Late Night Access).
l Date (for example, 12/20/2020).
l Type (for example, 7).
l Click the Preserve schedule days checkbox.
4. Click to save.
Example 2: Additional Access Time 399

6. Select the regular schedule on the Schedules list.
7. Click the Advanced Schedule checkbox to remove the default checkmark. The columns of holiday
checkboxes are replaced by a single row of holiday checkboxes that supports a basic schedule.
8. On the first available free line (representing an interval in the schedule), enter 20:00 as the Active
time and 23:59 as the Inactive time.
9. Click in the checkbox for the Type selected in step 3 above (for example, 7).
10. Click to save.
Event Types - Introduction

Event types are classifications of events that may occur during the operation of the ACM system. Event types
are associated with specific event sources, such as doors, panels, and systems.
A number of event types are defined by default but you can add or delete event types as needed. The default
events are listed below.
Event Type Source Definition

Communications Door Events where two or more components cannot
communicate with each other (for example, if a lock
Panel
is offline with a hub, or if there is radio interference).
Subpanel Related events include:
l Lock offline with hub
l Panel offline
l Radio disturbance
l Subpanel communication disabled
l Subpanel offline
l Subpanel type mismatch
l VidProxy Image Service offline
l VidProxy Service offline
Door held open Door Covers door held events including:
l Door held masked
l Door held open
l Door held open pre-alarm
l Door held unmasked
l Extended door held disabled
l Extended door held enabled

Forced Door Door Covers forced door events including:
l Forced door
l Forced door masked
l Forced door unmasked
Intrusion Intrusion Area, Used for:
Maintenance, Panel,
l Bosch intrusion events
Point, System, User,
Input, Intrusion SDI l SDI intrusion device events
Device l General purpose input events from Mercury
Security or VertX (general purpose inputs
are inputs that are not used in a door).
Intrusion DMP Intrusion Area, Panel, Used for DMP intrusion events.
Zone, User
Invalid Credential Door Relates to any door event where access is denied
(e.g. Deactivated card attempt, Invalid card
schedule, Access denied – occupancy level
reached etc.).
Maintenance Door Primarily developed to cover events where action
is required outside of the system (e.g. uploads,
Panel
downloads, inconsistencies between panels etc.).
Subpanel
Note: There are other miscellaneous

events which are also assigned to this
event type.
Output Outputs Covers general purpose outputs - Mercury Security

or VertX® outputs that aren't door strikes, including:
l Output point active

l Output point inactive
l Output point pulsed
Power Door Covers only low or critical battery events for doors.

System System Primarily used where the system is informing the
user of an event. This includes global actions and
linkages.
Note: This event type has also been used

for other miscellaneous events (e.g. Card
trace and Requests to enter for doors).
System audit System/ Database Covers events where a record has been added,
deleted or updated by the system.
Credentials
Tamper Door Relates to all tamper events for panels or doors,
including (but not limited to):
Panel
l Area disabled/enabled
Subpanel
l Lock jammed
l Occupancy count reached
l Panel transaction level reached
User audit Door Where a user makes a change in the UI or in REST,
including (but not limited to):
Panel
l APB requests
Subpanel
l Door-related requests
Intrusion Panel l Intrusion panel requests
System/ Database l Records changed in database
Valid Credential Doors Access was granted to an identity that has access
to the door and has swiped the card. For example,
local grant, Opened unlocked door, Facility code
grant, and more.
Video Video Video-related events, including:
l Connection Loss
l Motion Detected
l Video Loss
Note: The Network and Offline lock event types are no longer in use and have been removed from
the ACM system version 5.10.0 onwards.

Adding Event Types
1. Select > Event Types.
The Event Types list is displayed.
2. From the Event Types list, click Add New Event Type.
3. On the Event Type: Add New page, enter a name for the new event type.
4. Check the Alarm box if this event type will always generate an alarm.
5. Complete the remainder of the page with the required settings.
6. Click to save the new event type.
Editing Event Types

The Event Types list is displayed.
2. From the Event Types list, click the name of an event type.
3. On the Event Type Edit page, make any changes that are required.
Deleting Event Types
Note: System default event types cannot be deleted. You can only delete event types that have
been manually added to the system.

2. Click beside the event type you want to delete.
User Forms Overview

ACM Super Admin users only
User forms provide a drag-and-drop interface for identity management. For example:
Adding Event Types 403

Customize the identity and tokens tabs or create additional ones, and then assign them to ACM operators.
l Adding and Customizing Tabs with User Forms below
l Assigning Tabs to Identities with User Forms on the next page
l Editing User Forms on page 406
l Deleting User Forms on page 406
Adding and Customizing Tabs with User Forms

Choose User Forms to customize the Identity and Tokens tabs, and add any number of custom tabs, inserted
in alphabetical order, after the built-in tabs on the Identities page.
Before you begin, add any new user-defined fields. For more information, see Adding and Assigning Tabs to
Identities with User Fields on page 407.
1. Select > User Forms.

The built-in identity and token forms are visible on all identities by default ( ) and cannot be edited
and deleted.
2. Click Add User Form.
Adding and Customizing Tabs with User Forms 404

3. Select a form type for customization:
l Identity — A form with pre-populated fields, which can be displayed instead of the default
Identity tab.
l Token — A form with pre-populated fields, which can be displayed instead of the default
Tokens tab.
l Custom — A blank form, which can be displayed as an additional tab that is customized to meet
your requirements.
4. Click Next and optionally assign the form to one or more identity profiles. Enter:
l Name — A name for the form.
l Title — A label for the tab on the identity page.
l All Profiles checkbox — All identity profiles, current and future, to be assigned to the form.
l Identity Profile — If All Profiles is not selected, select one or more identity profiles.
5. To customize the form, do any of the following:
l Drag and drop a layout from the list of layouts. This is required for a blank custom form and
optional for a pre-populated form.
l Drag and drop Header to enter a label for the items.
l Drag and drop a field from the list of built-in and user-defined fields.
o Last Name and Status are required for an identity record.
l
Click the Advanced Edit icon in the upper-right corner.
o To make a field read-only which means it is grayed out and not editable by the operator,
click it and select Properties. Click the Read-only checkbox and click Save.
o To delete a field, hover your mouse over it and select Remove.
o
To delete a layout and its items, hover your mouse over it and click on the bottom
edge.
6. Click Save to save the new form.
After you add a new form, see Assigning Tabs to Identities with User Forms below.
Assigning Tabs to Identities with User Forms

After one or more identity or token forms are created, display them to all ACM operator identities or only
specific identities.
After one or more custom forms are created, display them to all ACM operator identities or only specific
identities.
Note: Delegations can restrict operators from editing and viewing the list of assignments.
On the User Forms list, do any of the following:
Assigning Tabs to Identities with User Forms 405

l For an identity or token form:
o To display an identity or token form, click the default icon next to the form to make it the
default. The default icon changes to .
The identity or token tab will be displayed to all operator identities. To reverse this change,
click .
l For a custom form:
o To display one or more custom forms to all identities, click the public icon next to each
custom form. The public icon changes to .
The custom tab will be displayed to all operator identities. To reverse this change, click .
l For any form type:
o To define the operator identities who can view the form, click Assign and select the identities.
Click to move them from the Available list to the Members list. To reverse these changes,
click to move them back to the Available list. Click Save.
The identity, token or custom tab will not be displayed to all operator identities. Only the
selected operator identities can view it.
Editing User Forms

To edit an identity, token or custom form:
1. On the User Forms list, click the name of the form.

2. Do any of the following:
l Add, edit or delete fields.
l Add, edit or delete a layout.
3. Click Save.
Deleting User Forms

You can delete an identity, token or custom form that is not set to default or not assigned to any identities. In
addition, the built-in forms cannot be deleted.
1. Select >User Forms.
2. Click next to the name of the form. The button is not displayed if any identities are assigned to
the form.
User Defined Fields - Introduction

User defined fields are custom fields that you can add to the Identities page to capture organization specific
information for each identity.
To add user defined fields to the Identities page, you must also add a user defined tab to host the fields.
Editing User Forms 406

Information captured by user defined fields can be used on badges to display important details about each
identity.
User defined fields can also be used for advanced searching for identities. For more information, see
Searching for an Identity on page 68.
Adding a Field for User Forms, Tabs and Lists

User-defined fields are used to collect additional details about users on the Identities screen. After you add
all the fields, add at least one tab to display the new fields. For more information, see Adding and
Customizing Tabs with User Forms on page 404 and Adding and Assigning Tabs to Identities with User
Fields below.
1. Select >User Fields.

2. Click Add User Defined Field.
3. Enter a name for the new field in the Name field.
4. Select the field Type:
l String — The field supports words and numbers.
l Integer — The field supports numbers only.
l Boolean — The field is a checkbox that works like a Yes or No question. Check the box to
indicate 'yes' and clear the box to indicate 'no.
l Date — The field supports a date only. Click the field to display a calendar and select a date.
5. Click to save the new field.
Note: User-defined fields cannot be edited, only deleted.
Adding and Assigning Tabs to Identities with User Fields

You must add a new tab to host user-defined fields before using them on the Identities page. Add tabs after
you've added all the fields that you need.
Tip: It is recommended to add a tab and user-defined fields on the Identities page using identity,
tokens and custom forms in a drag-and-drop interface. For more information, see Adding and
Customizing Tabs with User Forms on page 404.
1. Select > User Fields.

2. Click the Tabs tab.
3. Click Add User Defined Tab.
4. Enter a name for the new tab in Name and click .
Adding a Field for User Forms, Tabs and Lists 407

5. From the Available list, select all the user-defined fields that should be displayed on the tab and click
to add them to the Members list.
To remove a field from the tab, select the field from the Members list and click .
Adding User Defined Fields to Tabs

The User Fields list is displayed.
2. From the User Fields list, click the Tabs tab.
3. Click the name of the tab that you want to edit.
4. Edit the tab details as required.
User Defined Fields - Deleting Fields

NOTE: You cannot delete user defined fields if they are used in a tab. To delete a field, you must remove it
from all tabs first.

2. If the symbol displays for the field you want to delete:
a. Click to delete the field.
b. When the browser displays a pop-up message to ask Are you sure?, click OK.
3. If the symbol does not display for the field you want to delete, this is because the field is currently
used by a tab. To remove a field from a tab:
a. Select the Tabs tab then click the name of the tab that the field appears in.
b. On the following page, select the field from the Members list then click .
The field is removed from the tab and returned to the Members list.
c. Click .
User Defined Tabs - Deleting

User defined tabs can be deleted as required. However, you cannot delete user defined fields if they are
used in a tab.
Adding User Defined Fields to Tabs 408

2. Select the Tabs tab.
3. Click for the tab you want to delete.
User Lists - Introduction

Many fields on the Identity page involve selecting a value from a drop down list. While there are several
default values for these fields, you can add more options using the User Lists feature.
For example, if you want to add departments that are specific to your organization, you would use this feature
to add those options to the Departments drop down list.
Adding Items to a List
Note: Any changes you make to the lists are automatically included in identity-related collaborations.
1. Select > User Lists.

2. Click the name of the list you want to add items to.
3. On the User List Edit screen, enter a new list option in the New Value field and click .
4. Repeat the previous step until all the new values you want are listed in Current Values.
User Lists - Editing Items

Any changes you make to the lists are automatically included in identity related collaborations.

The User Defined Lists list is displayed.
2. On the User Defined Lists list, click the name of the list you want to edit.
3. To add a new option, enter the new option in the New Value field then click .
The new value is added to the Current Values list.
4. To delete a value, select the option from the Current Values list and click .
User Lists - Introduction 409

User Lists - Deleting Items
The User Defined Lists list is displayed.
2. On the User Defined Lists list, click the name of the list you want to edit.
3. Select the option you want to delete from the Current Values list then click .
The option you deleted is no longer listed on the Identities page.
System Settings - Introduction
Use > System Settings to:

l Customize default values for system-wide settings in the ACM system configure. For more information,
see System Settings - General Fields on page 414.
l Configure remote authentication of ACM users with an external domain server. For more information,
see Remote Authentication - Introduction below.
l Identify the external domain servers used for remote authentication. For more information see System
Settings - External Domains list on page 418.
Remote Authentication - Introduction

With remote authentication, ACM Client users can use their local domain username and passwords to access
the ACM system. Remote authentication uses an external domain server to authenticate users that need
access to the system, or to secure an LDAP Identity pull collaboration type. A separate password configured
in the ACM appliance is not needed. However, user access permissions are still based on the roles they are
assigned within the ACM appliance.
Before remote authentication can be configured on the ACM appliance, a system administrator with
privileges on all the servers required to support remote authentication needs to:
l Add one or more external domains
l Add one or more AD or LDAP servers to each domain to the system
l Issue root certificates for each domain
l Enable each remote host to present its SSL certificate on connection to the ACM server software
Configuration of the external domain servers and the creation of their root certificates is outside the scope of
this document.
To allow remote authentication, you must:
User Lists - Deleting Items 410

1. Connect to the external domain servers hosting the AD or LDAP servers you want used for
authentication and validate the SSL certificates they present. System Settings - External Domains list
on page 418.
2. Specify the default domain and server that hosts the AD database to use for authenticating ACM
software users, and enforce certificate authentication. For more information see System Settings -
Remote Authentication page on page 418.
Secure Socket Layer (SSL) certificates are used to verify the remote hosts and to encrypt all the log in traffic
between connected hosts. Only ACM system operators with administrative privilege and the following
delegations assigned to their role can validate SSL certificates:
l External Domains Validate Certificates—delegation required to validate an SSL certificate from a
Windows AD host
l Collaboration Validate Certificates—delegation required to validate an SSL certificate from an LDAP
database host in a Collaboration using the Identity Pull LDAP server collaboration type
You can set up different identities to be authenticated by different domains. Each identity must be configured
to use one of these domains for authentication. This is done in the Account Information: section on either the
Identity: Add or Identity: Edit panel of the given Identity. For more information, see
Configuring Remote Authentication Using SSL Certificates

Remote or external domains only. For Super Admin users with the External Domains Create Certificate, External Domains Destroy
Certificate, External Domains List Certificates, External Domains Load Certificate and External Domains Validate Certificates delegations
assigned to their role.
Certificates can be recognized by the ACM appliance in two ways:

l Pinned SSL certificates—Certificates from remote hosts in external domains that are accepted
manually by an ACM system administrator so that the remote host can connect automatically. These
certificates are trusted as long as they are not revoked manually by an ACM system administrator.
l Trusted SSL certificates—Certificates from remote hosts in external domains that are imported into the
ACM server software so that the remote host can connect automatically. They are valid until the
certificate expires.
Note: To provide maximum security strength for your ACM system, ensure the certificate meets the
U.S. government's National Institute of Standards and Technology (NIST) Special Publication 800-
131A (SP 800-131A) standard.
If your ACM appliance to ACC integration deployment is having trouble connecting, review the
certificate requirements for the two systems. You may need to update the certificate on the ACM
appliance to resolve the connection issues between the two systems.
About Certificate Pinning

When SSL certificates from a server in an external domain have not been exported from that server and
uploaded to the ACM server they cannot be automatically trusted.
However, a remote server can present its SSL certificate to the ACM server so that an administrator can
Configuring Remote Authentication Using SSL Certificates 411

choose to trust it based on the administrator's certainty that the certificate is valid. In the ACM server, after an
SSL certificate is accepted manually, it will be trusted as long as the unique fingerprint embedded in the
certificate presented by the remote server each time it is connected to the ACM software is the same as the
certificate originally accepted by the ACM system administrator. A certificate that is trusted in this way is
known as a pinned certificate.
Pinning a certificate allows you to trust a certificate that has not been uploaded from a remote server,
however the responsibility for ensuring that the certificate can be trusted is assumed by the ACM system
administrator who pins the certificate. To ensure that an SSL certificate is valid before it is pinned, the ACM
system administrator should compare the SSL certificate at the remote host to the certificate received from
the remote host to confirm the SHA-256 fingerprints are identical.
Requirements for Using Pinned Certificates

On the remote Windows server (for example, an Active Directory (AD) server, if you are enabling remote
authentication using the AD of your company), the following tasks must be completed :
1. Configure a Windows domain controller. For an LDAP collaboration, TLS encryption must be activated.
2. Obtain the fully-qualified domain name of the DNS server for remote server's domain.
3. Enable AD Certificate Services.
4. Create a root certificate and a Domain Controller Authentication certificate.
These tasks are outside the scope of this document.
Requirements for Using Trusted Certificates

On the remote Windows server (for example, an Active Directory (AD) server, if you are enabling remote
authentication using the AD of your company), the following tasks must be completed:
1. Configure a Windows domain controller. For an LDAP collaboration, TLS encryption must be activated.
2. Obtain the fully-qualified domain name of the DNS server for remote server's domain.
3. Enable AD Certificate Services.
4. Create a root certificate and a Domain Controller Authentication certificate.
5. Export the Domain Controller's root CA certificate in Base-64 encoded X.509 (.CER) format. (Do not
export the private key.)
Important: Use OpenSSL to convert the file from .cer format to .pem format before you
upload the file to the appliance.
6. Upload the certificate to the ACM appliance. For more information, see Certificate Upload page on
page 422.
These tasks are outside the scope of this document.
Pinning or Trusting Certificates in the ACM System

Once you have all the requirements for either pinning or trusting the certificate for an external server, log in to
the ACM Client, and complete the following steps:
Requirements for Using Pinned Certificates 412

1. In the top-right, select >System Settings.
2. Select the External Domains tab.
3. Click Add External Domain.
4. On the External Domain: Add New page, enter a name for this external domain.
5. In the Server field, enter the full DNS name of your domain controller.
6. Click to display the trust level of this domain. The default setting is "Untrusted".
7. Click Validate Certificate.
8. Click . The domain controller is added to the Current Servers list.

9. Select the Remote Authentication tab.
Note: The Default Domain and Default Server options are not required for remote
authentication.
10. Select the Validate Certificate checkbox.
11. Click .
12. Repeat the previous steps on each ACM appliance in your system that requires remote authentication.
13. Enable remote authentication for each identity that will be logging into the ACM appliance:
a. Open the Identity:Edit page for a user who will be using remote authentication.
b. Under the Identity tab, select the Remote Authentication? checkbox in the Account
Information area.
c. In theLogin field, enter the user's ACM system login name.
d. In the Remote Domain drop down list, select the external domain that you added earlier.
e. In the Remote Login field, enter the user's Active Directory domain identity. Enter the login
name in this format: username@domain.org.
For example: j.smith@motorolasolutions.com
f. Click .
Enabling Remote Authentication for ACM Client Users

Enable remote authentication for each identity with permission to log into the ACM Client:
a. Open the Identity:Edit page for a user who will be using remote authentication.
b. Under the Identity tab, select the Remote Authentication? checkbox in the Account Information area.
c. In theLogin field, enter the user's ACM system login name.
d. In the Remote Domain drop down list, select the external domain that you added earlier.
e. In the Remote Login field, enter the user's Active Directory domain identity. Enter the login name in
this format: username@domain.org.
For example: j.smith@motorolasolutions.com
Enabling Remote Authentication for ACM Client Users 413

f. Click .
Now, when this user logs in to the ACM Client, they use their network login name and the password.
System Settings - General Fields

Set ACM system-wide settings on the General tab in > System Settings:
Note: Certain user settings in > My Account will override the general settings.
Enhanced Access Indicate that this system will use enhanced access levels for Mercury Security panels.
Level Enhanced access levels allow Mercury Security panels to accept more access groups
per token.

Allow Duplicate Duplicate PINs is an option available for an organization that wants to allow badge
PINs holders to have non-unique PINs. This option cannot be used with the PIN Only and
Card or PIN door modes as it does not allow tracking of an individual badge holder.
After you enable duplicate PINs, the available Door Mode options are:
l Card Only — This door can be accessed using a card. No PIN is required.
l Card and Pin — This door can only be accessed using both a card and a PIN.
l Facility Code Only — This door can be accessed using a facility code.
WARNING — After duplicate PINs are allowed, this cannot be reversed, and you
cannot use PIN Only and Card or PIN door modes. Only enable this option if you have
a specific requirement for duplicate PINs.
Do the following before allowing duplicate PINs to ensure that no doors are in either
PIN Only or Card or PIN door modes:
1. Select Physical Access > Doors to navigate to the Door list.

2. For each door currently in either PIN only, or Card or PIN mode:
l Select the checkbox beside the door.
l Either select Door Action > Restore to restore to the configured door
mode or select an alternative mode from the Door Mode dropdown list.
To allow duplicate PINs, check this box then:

l Click OK when the message 'Enabling duplicate PINs is an irreversible setting
and cannot be undone. Are you sure you want to continue?' displays.
l Click OK when the message 'Proceed with enabling duplicate PINs?' displays.
Note: The system will check Door Policies, Global Actions, Scheduled Jobs,
Panel Macros, and Interlocks to ensure there is no conflict with duplicate PINS
(e.g. doors are in PIN Only mode). If there are any conflicts these will have to
be corrected before allowing duplicate PINs. If there have been any
previously defined linkages, triggers or interlocks that are based on PIN Only
or Card or PIN event types, they will fail to execute.
Badge Template A new value in pixels to change the default height for displaying the ID photo used for
Photo Height
badge templates on the screen then click .
The default value of 153 px is approximately 1½ inches or 3.5 centimeters.

Badge Template A value in pixels to change the default width for displaying the ID photo used for
Photo Width
badge templates on the screen then click .
The default value of 117 px is approximately 1 inch or 2.5 centimeters.

Force Password For all users with the Force Password Change delegation assigned to their role.
Change
A checkbox to force the identity to change the password at the next login to the
ACM system. After the password is changed by the identity, the checkbox is
deselected automatically.
This option is enabled by default.
Note: The system will only apply this setting to new identities.
Tip: To apply the Force Password Change operation to a group of identities,

see Performing an Identity Batch Update on page 108. See Searching for an
Identity on page 68 to specify Force Password Change in the Search Field.
Identity Auto Enable the system to automatically increments the read-only Sequence Number field
Increment Field on the Identity page.
This option is disabled by default.
Identity Auto If you enabled Identity Auto Increment, enter the number the system will start counting
Increment Start
from then click .
The default value is 1.
Identity Auto If you enabled Identity Auto Increment, enter the value the system uses to increment
Increment Step
the sequence number then click .
For example, if you leave the default value of 1, the identity Sequence Number will
count 1, 2, 3 (etc.). If you enter 2, the identity Sequence Number will count 1, 3, 5 (etc.).

Language A language that the system will display by default.
Each user with access to the ACM system will be able to set their own language
preferences from the My Account page. For more information, see Setting Your
Preferred Language on page 477.
Click Translate Default Data to translate all of the system default values into the
selected language. It is recommended that you only perform this action once, or your
reports and logs will display values in multiple languages.
Maximum Active The maximum number of tokens that can be active per identity then click .
Tokens
Maximum Login The maximum number of attempts a user has to log into the ACM system before they
Attempts
are locked out, then click .
The user is locked out of the ACM system for 10 minutes and further login attempts will
result in the lockout time increasing. Authorized operators can reset the password to
bypass the lockout.
The default value is 5.

Password Strength Enable a minimum password strength requirement for ACM system upgrades which
Enforced can be performed using any user account. The password must contain 8 to 40
characters, and at least 1 uppercase letter, 1 lowercase letter and 1 digit. For more
information, see Logging In on page 23.
Post Roll The number of seconds a camera continues to record after a recorded video event.
Pre Roll The number of seconds of video that is automatically added before a recorded video
event.
Private Message A short message to display on the login screen.
Show Identity Enable a photo to be displayed beside each identity reference.
Photos
System Message
A title you want to use for the system then click .
The title is displayed under the Access Control Manager banner on each screen, and
the title is used for all messages sent by the system.
System Support
The contact details of your Avigilon support representative then click .
This information is displayed when a user clicks Support.

Token Expiration
Time The default number of days before a token expires then click .
Use/Lose The default number of days a token can be unused before it is automatically
Threshold deactivated, and then click .
Video Windows The maximum number of video display windows that can be open at the same time,
Count then click .
Create Report Generate a PDF of the values on this page.

System Settings - Remote Authentication page
When you select the Remote Authentication tab on the System Settings screen, the Remote Authentication
panel is displayed.
On this panel, define the default domain and server that hosts the Active Directory database used to
authenticate network users. This enables secure connections and encrypted traffic between the AD server
and the ACM servers and its clients. ACM Client users can then use their local domain username and
passwords to access the ACM system.
Feature Description
Default Select a domain from the drop down list.
Domain
Only the external domains that have been added to the system are listed.
Default Enter the name of the default server in the selected domain.
Server
Validate Check this box to enable the system to validate certificates from remote servers before use.
Certificate
The default setting is not checked. Use the default setting only if you do not need to validate
certificates from remote servers.
CAUTION — Risk of security breaches. When certificate validation is not enabled, certificates
are ignored by the ACM server software. Traffic between the ACM appliance and external
domains is unencrypted and can be easily compromised. To ensure secure connections and
encryption of all traffic, enable the Validate Certificate option on the Remote Authentication tab
of System Settings.
Create Click this button to generate a PDF of the values on this page.
New
Report
System Settings - External Domains list

When you select the External Domains tab from the System Settings page, the External Domains list is
displayed. This page lists any external domains that have been added to the system.
An external domain must be added before you can use remote authentication. For example, to connect the
ACM system to use your company's Active Directory (AD) to authenticate users, you must add the company
domain server to the External Domains Listing.
You can grant remote authentication access to individual badge holders from the Identity page. For more
information, see Identities on page 65.
System Settings - Remote Authentication page 418

Feature Description
Name The name of this external domain.
Click the name to edit the external domain. For more information, see System Settings -
External Domain: Edit page on the next page.
Delete Click to delete the selected external domain.
Add External Click this button to define a new external domain. For more information, see System
Domain Settings - External Domains Add page below.
Create New Click this button to generate a PDF report of the listed domains.
Report
Certificates Click this button to access the Certificate list.
From this page you can upload one or more certificates to give remote browsers access to
the ACM system.
System Settings - External Domains Add page

When you click Add External Domain from the External Domains list, the External Domain: Add New page is
displayed.
You must add an external domain to connect to a remote server for user validation using your company's
Active Directory (AD), or using LDAP.
Before you validate the certificate presented by the remote server in the external domain, it is recommended
that you find out the value of the SHA-256 fingerprint of the remote server's certificate. Then you can
compare that value to the one in the certificate displayed in the ACM software.
Feature Description
External Domain Enter the name of this external domain. Never append the extension .lan or
.local
New Server Enter the full-qualified domain name (FQDN) of the server in the external domain
and then click.
You can enter the IP address of the server, although this is not recommended as
it is more likely to change than the FQDN.
Display the current trust level of this domain. The default setting is "Untrusted".
System Settings - External Domains Add page 419

Feature Description
Validate Certificate Click to validate the certificate presented by the server. If the certificate from the
remote server is:
l Fully trusted—A "Certificate Verified" message is displayed. Click OK. The
certificate status is updated to Trusted.
l Untrusted—The certificate is displayed. Compare the SHA-256 fingerprint
to the actual certificate defined. If they match, click Trust and the
certificate status is updated to Pinned. Otherwise click Deny to update the
certificate status to Untrusted, or Cancel to close the dialog box without
making any changes.
l Not available—An error message is displayed, and the certificate status
remains Untrusted.
Hide the current trust level of this domain.
System Settings - External Domain: Edit page

When you click the name of a domain from the External Domains list, the External Domains: Edit page is
displayed.
Make any changes that are required.
Feature Description
External Domain Enter the name of this external domain. Never append the extension .lan or
.local
New Server Enter the full-qualified domain name (FQDN) of the server in the external domain
and then click.
You can enter the IP address of the server, although this is not recommended as
it is more likely to change than the FQDN.
Display the current trust level of this domain. The default setting is "Untrusted".
System Settings - External Domain: Edit page 420

Feature Description
Validate Certificate Click to validate the certificate presented by the server. If the certificate from the
remote server is:
l Fully trusted—A "Certificate Verified" message is displayed. Click OK. The
certificate status is updated to Trusted.
l Untrusted—The certificate is displayed. Compare the SHA-256 fingerprint
to the actual certificate defined. If they match, click Trust and the
certificate status is updated to Pinned. Otherwise click Deny to update the
certificate status to Untrusted, or Cancel to close the dialog box without
making any changes.
l Not available—An error message is displayed, and the certificate status
remains Untrusted.
Hide the current trust level of this domain.
System Settings - Certificates list

When you click Certificates from the External Domains list, the Certificates list is displayed.
Certificates that have been uploaded to the system are listed on this page. Certificates are used by browsers
to confirm that systems are safe for users to access.
Feature Description
Name The name of the certificate file.
Size The size of the certificate file.
Upload The date the file was uploaded.
Date
Click this button to delete the certificate.
Add New Click this button to upload a new certificate for this external domain.
Certificates
Listing
Note: To provide maximum security strength for your ACM system, ensure the
certificate meets the U.S. government's National Institute of Standards and
Technology (NIST) Special Publication 800-131A (SP 800-131A) standard.
If your ACM appliance to ACC integration deployment is having trouble connecting,

review the certificate requirements for the two systems. You may need to update the
certificate on the ACM appliance to resolve the connection issues between the two
systems.
System Settings - Certificates list 421

Certificate Upload page
Use this page to upload an external domain server certificate in .pem format to the ACM application. This
allows ACM Client users to log in using their network user ID and password through a fully trusted Active
Directory (AD) server on an external domain.
Tip: The exported certificate must be converted from .cer format to .pem format by a system
administrator on the AD server before it is uploaded to the ACM server.
There must be a certificate for every server that has been added to the system as part of the external domain.
Feature Description
Upload Certificate Click Browse to locate and select the certificate in the Choose File to Upload dialog
file: box.
Badge Templates and the Badge Designer

This feature requires a license. Contact your Avigilon support representative for more information.
Badge templates define the layout of badges or cards that are used to access doors within your access
control system. They are created by a qualified operator using the Badge Designer. Multiple badge templates
can be defined in the ACM system.
Select > Badge Designer to access the Badge Templates page. From this page, you can add a new
badge template, or select a badge template to edit, with the Badge Designer.
The Badge Designer is used to design the appearance and content on a badge template. You can add
photos, logos, text, and database fields to a badge template and position these elements on the layout. A
badge template can specify colors and fonts depending on the values provided.
For example, if an employee is specified as part-time, the color used for the employee's name can be
changed from black to orange, making it easier for guards to differentiate between full-time and part-time
employees. You can differentiate identities with different access privileges, such as access to certain
buildings on a campus, or specific floors in a multi-tenant office building, using graphics such as company
logos and insignias, or text.
A badge template is used when a badge is generated for a badge-holder to both format the badge and
populate it with data from the Identities database. At least one badge template to assign to identities must be
created before badges can be printed using Identities > Badge. Badges are usually printed when a person
who requires a badge is enrolled into the ACM system using the Identities feature. When printing the badge,
an enrollment officer or administrator specifies a badge template and then generates (prints) a badge. The
badge has all relevant information automatically placed on the badge.
Certificate Upload page 422

Note: Badge templates can be designed as either one- or two-sided. A two-sided badge must be
printed by a badge printer possessing duplex capability.
Using the Badge Designer

Use the Badge Designer to create templates that define the layout and appearance of access badges.
A badge template defines the basic attributes of a badge that are used when a new badge is generated for
an identity: size and background color, plus a variety of dynamic and static fields and images. Dynamic fields
and images pull the unique information about the badge holder from the Identities database for each
individual badge and static objects are the text strings and graphics printed on every badge. For each object,
you can specify its location and appearance.
Field Image
Dynamic DBField: A data field object Picture:: A picture object specifies the
specifies the information about the size and location of the photo of the
identity that you want on the badge, identity on a badge.
such as first and last name, ID
The actual photo used for an identity
number, title, position, rank and so
when a badge is generated is a photo
on.
saved in the Identities database that
was either captured with a badge
camera, or uploaded, and saved.
Static Text: A text object specifies the text Graphic: A graphic object specifies the
that appears on every badge name of an uploaded graphic file
generated with this template. image file that appears on every badge
generated with this template.
You must create at least one badge template before you can print a badge at Identities > Badge. Depending
on the requirements of your site, you may need one or more badge templates.
Note: Badge templates can be designed as either one- or two-sided. A two-sided badge must be
printed by a badge printer possessing duplex (double-sided printing) capability.
Opening the Badge Designer
Select > Badge Designer to open the Badge Templates page. From this page, click Add Badge
Template or the name of an existing badge template to open the Badge Designer page.
Formatting the Appearance of a Badge Template
Use the canvas data fields that appear at the top of the Badge Designer page to set the size, color, and other
format details. Next to the canvas data fields is the canvas area, with the preview area beneath that show the

changes to the template as you make them.
All measurements in the Badge Designer are in pixels, at a resolution of 100 pixels per inch, equivalent to 40
pixels per centimeter.
1. Give the badge template a name, or change it.

2. Change the size of the badge if needed. Values are entered in pixels. The default size is equivalent to
a print area of 2 x 3.25 inches, or 5 x 7 centimeters.
3. Click in the BG Color field to open the color picker. Enter a hex code or select a color for the
background.
4. Click OK to close the color picker, then click to apply the background color to the canvas and the
preview.
5. Change the value in the Opacity field only if you want the background color to be semi-transparent or
transparent. For example if you are overprinting badge information on a preprinted badge. Click
to apply the opacity to the preview.
Create a Two-Sided Badge Template

1. Select the Two Sided checkbox.
The Back Side button appears at the top of the page.
2.
Important: Click to save this setting.
To view the back of the badge, at the top of the page, click Back Side. To view the front of the badge,
at the top of the page, click Front Side.
Adding and Editing Objects
You can add four types of objects to a badge template to define the information that appears on the identity
badges generated by this template:
Object Definition
Picture Dynamic. A photo of the identity supplied by the Identities database. You can have only one
photo per side of a badge.
Data Dynamic. An item of information supplied by the Identities database, such as the person's
Field name. You can have many data fields per side of a badge.
Text Static. Text such as a company name, or slogan to appear on every badge. You can have many
data fields per side of a badge.
Graphic Static. Image files such as a logo, insignia or texture, to appear on the badge, uploaded into the
template. You can have many images per side of a badge.
When you add an object, additional fields for that object appear below, and an appropriate placeholder
appears on the Canvas. You can expand and collapse each object in the list to access its field settings.
1. On the canvas you can position any object by clicking and dragging with the mouse.
2. Select the object in the list to edit its settings.
3. Any change you make to the object's field settings are reflected on the canvas.
4. Click beside an object to delete it from the list. Objects deleted from the list are not deleted from
the canvas until you save changes.
5. Click frequently to save changes and show the result in the Preview.
Tip: Add objects to the Canvas from largest to smallest in size. The Canvas displays objects in
the order they are added not by the Layer Order setting, so large objects can obscure smaller
ones. Save the template to refresh the Preview and see the actual result.
Adding and Editing a Picture Object

1. Click the Add Picture button to add a photo object to the canvas.
2. Click Photo to hide or show the photo object settings.
3. Adjust the appearance of the photo.
Tip: The default dimensions of the photo on the badge displayed on the screen are defined
by the values set on the System Settings page for Badge Template Photo Height and
Badge Template Photo Width and should not normally be altered here. These two settings
ensure that the size of the photo on all badges printed by this badge template are uniformly
sized and have the same aspect ratio.
To accommodate minor variations in the aspect ratio of individual photos without distortion, enable the
Maintain Aspect Ratio option.
See Fields Common to All Objects below and Fields Common to Picture and Graphic Objects on
page 428.
Adding and Editing a Data Field Object
1. Click Add DB Field to add a data field object to the canvas.

2. Click Data Field to hide or show the data field object settings.
3. In the Data Field drop-down list select a data field. For example, to have a badge include a person's
name when it is generated, select one of the name fields listed, such as Full Name.
4. Adjust the appearance of the data field object. You can resize the object to ensure all text is visible as
well as change the font, size, and color. Additionally, select the Auto Resize checkbox to make the
text shrink to fit inside a fixed size box if the text in the specified font size does not fit. See Fields
Common to All Objects below and Fields Common to Data Field and Text Objects on the next page.
Adding and Editing a Text Object
1. Click Add Text to add a text object to the canvas.

2. Click Text to hide or show the text object settings.
3. In the Text field, enter the text you want to appear on all badges generated with this template.
4. Adjust the appearance of the database field object. You can resize the object to ensure all text is
visible as well as change the font, size, and color. Additionally, select the Auto Resize checkbox to
make the text shrink to fit inside a fixed size box if the text in the specified font size does not fit. See
Fields Common to All Objects below and Fields Common to Data Field and Text Objects on the next
page.
Adding and Editing a Graphic Object
1. Click Add Graphic to add an image object to the canvas.

2. Click # or Image File Name item to show or hide the graphic object settings.
3. In the Image field, click Choose File to upload a file to the ACM system and add to the badge template.
4. Adjust the appearance of the photo object in various ways. See Fields Common to All Objects below
and Fields Common to Picture and Graphic Objects on page 428.
Fields Common to All Objects

Field Description
Layer Order A number indicating the order an object appears when objects are stacked in front of each
other. The initial layer order is the order the objects were added to the template.
1 is the lowest layer, 2 is in front of 1 and so on. You can reorder the layers by typing over the
value for each object.
Location Click and drag the object on the canvas, or enter the horizontal and vertical coordinates of the
top left corner.
The default setting of 0 x 0 would place the object in the top left corner, while 80 x 160 would
place the object lower and to the right.
Dimensions Modify the default size of the object (in pixels) if needed.
Tip: Do not modify the size of an identity photo object here. It is better to change the
default values on the System Settings page, as this ensures the same aspect ratio is
used for the dropping overlay when photos are taken with a badge camera and
saved in the Identities database.
The first field is the width and the second field is the height.
Rotation Select the number of degrees to rotate this object clockwise from the dropdown list.
The default is 0 degrees.
Fields Common to Data Field and Text Objects

Field Description
BG Color Click this field to choose a background color for the object. By default, it is set to be the same
color as the badge template.
Use the color picker to either select a color from the palette or manually enter the color in RGB,
HSV or hex code format.
Opacity Enter how opaque you want the background color to be, in conjunction with the layer order.
0% is fully transparent and the default setting of 100% is fully opaque.

Font Select the font you want for the text.
The font list includes text fonts and barcode fonts. Text fonts are listed first, then barcode fonts.
Font Size Enter the font size in points. If Auto Resize is selected, this is the maximum font size.
Auto Select this checkbox to have the system automatically shrink the font size to fit the dimensions
Resize of the object.
Alignment Select how you want the text to align inside the object.
Text Color Click this field to choose a font color.
Use the color picker to either select a color from the palette or manually enter the color in RGB,
HSV or hex code format.

Field Description
Opacity Enter how opaque you want the font color to be, in conjunction with the layer order.
0% is fully transparent and the default setting of 100% is fully opaque.
Fields Common to Picture and Graphic Objects

Field Description
Image (Applies to graphic objects only) Specifies the image to upload to the ACM system and
place on the badge template. After the graphic is uploaded, the file name replaces # in the
list of objects on the badge template.
Maintain Check this box to always maintain the aspect ratio of the photo. When the aspect ratio is
Aspect maintained, the photo is scaled to fit within the object space. If this option is disabled, the
photo is automatically stretched to fill the object space.
Border Width Select the border thickness (in pixels) for the picture or image from the drop-down list. The
photo or graphic will be offset by the width of the border.
Border Color Use the color picker to either select a color from the palette or manually enter the color in
RGB, HSV or hex code format.
Adding a Barcode Using Static and Dynamic Objects
1. When you create a badge template, you can add a barcode by using either of the following options:
l Click Add Text to place a static barcode that will be the same for every badge that is generated
from the template.
l Click Add DB Field to place a dynamic barcode that changes to match the detail listed in the
identity record.
2. After you add the badge object, select a barcode font. The available barcode fonts include Barcode 3
of 9, Barcode 3 of 9 Extended, Aztec Code, Code One and more. The font option lists the text fonts
first and then the barcode fonts.
3. Click to save your changes and display the barcode in the preview area.
Note: Many of these barcodes require a specific format or do not accept certain characters. If the
data given to the barcode generator from the Identities database is invalid, the barcode will not be
displayed on the badge.
Badge Templates list

When you select > Badge Designer, the Badge Templates list is displayed. From this page, you can add
and edit badge templates with the Badge Designer.
Badge templates are used to define the layout of badges or cards that are used to access doors within your
access control system. They are created by a qualified operator using the Badge Designer. Multiple badge
templates can be defined in the ACM system.
This page lists all the badge templates that have been added to the system.
Badge Templates list 428

Feature Description
Name The name of the badge template.
Click the name to edit the badge template. For more information, see Using the Badge
Designer on page 423.
Commands
Click to delete the badge template.
Click to copy the badge template.
The copy of the badge template is automatically added to the top of the list.
Add Badge Click this button to add a new badge template. For more information, see Using the
Template Badge Designer on page 423.
External Systems Overview

Set up integration to cameras, sites and other third-party external systems.
Note: Some external systems may not be available if your system does not have the required
license.
Before you can connect and use the external systems, the external system must be installed and accessible
to the appliance over the local network.
Supported External Systems

Listed below are all the external systems that are supported by the ACM system. Some systems may not be
available to you if your system does not have the required license.
l IP cameras and network video management systems (VMSs), including Avigilon Control Center.
You can add individual cameras to add photos to the Identities database, or you can add whole
network video systems that can be configured to work with doors and events in the ACM system, and
record video triggered by events for surveillance.
l LifeSafety Power Supplies
l ViRDI Biometric Access scanners and readers
l Virtual Stations — ACM Verify™ Virtual Doors
For example, the ViRDI external system requires a separate license. Before a ViRDI system can be
created on your ACM server appliance, the system administrator for the ACM application must:
o Add the ViRDI license to the ACM application. See Adding a License on page 374.
o Add the four ViRDI-specific delegations to the role assigned to operators. These delegations
are all prefixed with "ViRDI". See Assigning Delegations to a Role on page 89 and Roles -
Delegate page on page 93.
External Systems Overview 429

l Bosch intrusion panels
For more information, see Bosch Intrusion Panels on page 436.
l Allegion ENGAGE gateways
For more information, see IP/PoE Mode Installation on page 281 and Step 1: Creating an ENGAGE Site
on page 293.
l SALTO servers
For more information, see SALTO Door Installation on page 298 and Step 1: Connecting to a SALTO
Server on page 302.
l HID Origo
For more information, see Configuring HID Mobile Access® Credentials on page 66 and Step 1:
Connecting to the HID Origo External System on page 66.
l DMP intrusion panels
For more information, see DMP Intrusion Panel Installation on page 445 and Step 1: Connecting to a
DMP Intrusion Panel on page 447.
Adding External Systems

You can add several types of external systems to the ACM system.
Important: Before you can add any external system, you must first connect a supported device to
your network or server, and then configure the device as described in device documentation. Write
down the device's IP address and onboard URL. For some external systems, refer to an ACM-specific
integration guide that provides installation, connection and configuration instructions.

2. Select the tab for the external system you want to add.
3. From the External Systems listing page, click or Create depending on the system.
4. In the following page, complete the required fields to add the new external system.
5. Click to save the new external system.
See also:
l Step 1: Creating an ENGAGE Site on page 293
l Step 1: Connecting to a SALTO Server on page 302
l Step 1: Connecting to a DMP Intrusion Panel on page 447
Adding External Systems 430

Editing External Systems
2. Select the tab for the type of external system you want to edit.
3. From the External Systems listing page, click the name or address of the specific system you want to
edit.
4. In the following page, make the required changes.
See also:
l Editing an ENGAGE Site below
Editing an ENGAGE Site

To edit an ENGAGE site in ACM:

3. Click the site name.
4. Edit:
the logical group of ENGAGE devices. Always create an ENGAGE site in the
ACM application. A site that is already created in the ENGAGE application
cannot be reused in the ACM application. In addition, a site cannot be used
by more than one ACM appliance.
Deleting External Systems

Uninstalling an external system does not remove it from your system. Uninstalling it will simply prevent
communication with the ACM appliance. You may need to delete the external system as required.

2. Select the tab for the type of external system.
3. Click next to the name of the external system.
For Bosch intrusion panels, click . Associated items such as linkages and actions, and intrusion
Editing External Systems 431

users will also be deleted.
For DMP intrusion panels, click . Associated items such as linkages and actions, zones, areas,
outputs, identity mapping, and intrusion users will also be deleted.
For the HID Origo external system, click Delete.
External Systems - Integrating an ACM Appliance into an ACC™ Site

An ACM appliance can be integrated into an ACC site so that events occurring in the ACM software can
trigger rules in the ACC software to initiate actions. For example, door events in the ACM software can trigger
a rule that allows an ACC operator to grant door access, or an input event from a panic button or motion
sensor in the ACM software can trigger a live camera feed, or video recording.
To integrate an ACM appliance, a special identity to interact with the ACC software must be created by an
ACM administrator. This identity must be assigned a special role and delegation with specific rights, and a
routing group that specifies the events that the ACC software receives. Only one identity must be created for
this purpose.
As of ACM 5.10.10.2, a preconfigured role and delegation with the necessary rights are available for this
special identity that is suitable for most integration scenarios. The role and delegation are both called
ACC Administrator. However, if this special identity needs additional rights, you will have to modify the rights
associated with the delegation, or configure a new role and delegation. The routing group has to be
configured, and optionally if you plan to import Active Directory identities through ACM, you will have to
configure remote authentication.
If you are using an earlier version of the ACM appliance, you will need to create your own ACC Administrator
role and delegation with the appropriate rights.
Use the following steps to configure an identity to interact with the ACC software:
1. Ensure the ACC Administrator delegation has the following rights:

l Appliance Listing
l Delegations Listing
l Doors Grant
l Doors Listing
l Force Password Change
l Identities Listing
l Identities Login - Remote
l Identities Photo Render
l Inputs Listing
l Panels Listing
l Partitions List
l Roles Listing
l Subpanels Listing

l System Summary Listing
l REST Appliance Status Display
l REST Get Doors
l REST Get Identities
l REST Get Identity
l REST Get Inputs
l REST Get Panels
l REST Get Right Groups
l REST Get Roles
l REST Get Subpanels
2. Create a routing group to define events sent from the ACM appliance to the ACC software.
a. Specify the following for the group:
l Schedule: 24 Hours Active
l Schedule Qualifier: Appliance
l The Installed box must be checked
b. Add the following event types to the routing group:
l Door held open
l Forced Door
l Intrusion
l Invalid Credential
l Maintenance
l System
l Tamper
l Valid Credential
3. Create a role that allows the ACC software to communicate with the ACM system.
a. Keep the default Parent value (none).
b. Keep the default Start Date value (the current date).
c. In the Stop Date box, enter an appropriate date for this role to expire. By default, the
role will stop working 1 year from its creation date.
d. Select the Installed checkbox and click Save.
Additional tabs will appear.
e. In the role's Delegate tab, assign only the ACC Administrator delegation that was
created in the preceding steps.
f. In the Routing tab, assign only the routing group that was created in the preceding
steps.
4. If you plan to import Active Directory identities to the ACM appliance or the ACC software, configure a
Lightweight Directory Access Protocol (LDAP) Collaboration. For Active Directory Remote

Authentication, configure remote authentication from external domains.
5. Create a dedicated identity for interacting with the ACC software.
Note: To protect the security of the connection between the ACM appliance and the ACC
software, the dedicated identity should have only the permissions outlined in this procedure.
Operators should not have access to this account.
l Assign a Last Name, Login, and Password for the identity. Uncheck the Force Password
Change checkbox.
l The password should meet the minimum password strength requirements for your ACC site.
The password strength is defined by how easy it is for an unauthorized user to guess. It is
highly recommended that you select a password that uses a series of words that is easy for you
to remember but difficult for others to guess.
l Under the identity's Roles tab, assign only the role that was created in the preceding step.
6. If your ACM appliance uses partitions, add the identity as a member of the partitions they will need to
access from the ACC Client.
7. Configure the ACM appliance to use the same NTP Time Server as the ACC Server.
For Windows systems, the ACC Server gets its time from the operating system. For Avigilon Hardened
OS appliances, the NTP Time Server can be configured through the device's web interface.
a. In the top-right corner, click the gear icon to open the Setup & Settings menu and select
Appliance.
b. In the Time Server box, enter the Time Server IP address.
Once these settings are applied, an ACC Client can connect to the ACM appliance. For more information, see
the ACC™ and ACM™ Unification Guide (link).
External Systems - Defining the Badge Camera for the System

Once all cameras or other imaging devices have been added as part of an external system, you can set which
camera to use when creating badges for identities.
1. Select > My Account.

2. Under the Profile tab, select a camera from the Badge Camera drop down list:
l Local Camera — Any camera connected directly to your computer or built into your computer
or monitor.
l IP-based camera — Any IP-based camera previously connected to your network and added to
your ACM system.
Next time you create a badge, the selected camera is used to take the identity photo.
External Systems - Defining the Badge Camera for the System 434
External Systems - ViRDI
When you select the ViRDI tab on the External Systems page, the ViRDI System Settings page is displayed.
The ViRDI system allows you to use fingerprint readers for access control, and optionally to use additional
authentication to provide two-way or three-way authentication for increased security. Only one ViRDI system
setting can be configured on an ACM server appliance. If a replication server is deployed for this ACM server
appliance, you can also configure ViRDI system settings for the replication server. After the ViRDI server is
installed, ViRDI Biometrics tokens can be created for identities, and the Biometrics Enrollment Manager can
be accessed to register fingerprints and additional authentication methods for ACM identities.
Two ViRDI readers are supported:

l ViRDI AC2000—supports fingerprint, or card and fingerprint authentication for up to 1,500 users.
l ViRDI AC5000 Plus —supports any combination of fingerprint, card, and PIN authentication for up to
20,000 users.
Fingerprints are registered using the ViRDI FOHO2 fingerprint reader, which can be installed at enrollment
stations. The authentication method (one- two- or three-way authentication) used by the reader for these
tokens is configured using the Biometrics Enrollment Manager (BEM).
External Systems - ViRDI System Settings

When you click the ViRDI tab from the External Systems page, the ViRDI System Settings page is displayed.
This page allows you to create or delete the ViRDI system setting on an ACM server appliance.
Feature Description
Appliance The appliance this server is connected to.
Reserved The default minimum and maximum values are displayed. These values can be adjusted to
User meet the requirements of your system, but must be within the initial default range of 1 to
ID Range
99999999.
Consider the following recommendations:

l Reserve a block of numbers within this range dedicated for ViRDI biometric tokens for
use by the ACM system.
l Do not assign any of those numbers to physical cards for other types of access readers.
l Do not modify this range.
Note: If you must modify the range, contact Avigilon customer support for guidance.
Web Accept the default port or enter a new port number.

Service
Port If you change this port number from the default port (9875), you must also change the
corresponding port number on every Biometric Enrollment (BE) Manager used for identity
enrollment.
External Systems - ViRDI 435

Feature Description
Delete Click to delete the server from the system.
Update Click this button to add the ViRDI server to the system.
Bosch Intrusion Panels

The following procedures relate to Bosch intrusion panels.
Integrating the ACM System with Bosch Intrusion Panels

Complete the following steps to integrate the ACM system with Bosch intrusion panels.
Requirements:
l ACM version 5.10.10 installed.
l ACM license for Bosch Intrusion.
l Bosch alarm panel B series (35xx, 45xx, 55xx, 85xx, 95xx) D9412, D7412.
Do the following to configure the Bosch alarm panel before you can connect to the ACM appliance:
1. Download and install Bosch RPS (Remote Programming Software).

More details about the software can be found at Bosch website:
https://us.boschsecurity.com/en/products/intrusionalarmsystems/software/programmingsoftware/rem
oteprogrammingsoftware/remoteprogrammingsoftware_25629
Depending on the alarm panel version (above B55xx Series) you will need the RPS dongle key (USB)
to enable the software.
2. Launch the Bosch RPS software.
3. Do the following in RPS:
l Go to the Panel View and select the panel connecting to the ACM appliance.
l Select AUTOMATION/REMOTE APP.
l Enter:
o Mode 2 in the Automation Device field.
o Bosch_Auto in the Automation Passcode field. This password needs to be entered in
the Automation Passcode field in the ACM application.
o Bosch_RSC is the default in the Remote App Passcode field. This password needs to
be entered in the Application Passcode field in the ACM application.
o Save changes and upload to the panel.
Bosch Intrusion Panels 436

4. Launch the ACM client and do the following:
l Select Settings > External Systems. Click the Bosch Intrusion tab.
l
Click to add a new alarm panel.
l Enter the Panel Name.
l Enter the IP address in the Address field. Check that the IP address matches the IP address in
RPS (see below).
Integrating the ACM System with Bosch Intrusion Panels 437

l Enter the port number in the Port field. Make sure this matches the TCP/UDP Port Number in
RPS (see above).
l Enter the Automation Passcode (same as the Automation Passcode in RPS).
l Enter the Application Passcode (same as the Remote App Passcode in RPS).
l Click the Installed checkbox.
l Click Create to save the configuration. After you save the configuration in the ACM software, it
will take a couple of seconds to communicate with the alarm panel. You should see a green
LED indicating “online." ACM imports all Areas, Users, Input, and Output data from the Bosch
alarm panel.
Adding a Bosch Intrusion Panel

To add a new Bosch intrusion panel:

2. Click the Bosch Intrusion tab.
3. Click to add a new panel.
l Panel Name
l Appliance
l Address
l Port
l Automation Passcode
l Application Passcode
l Installed
5. Click Create.
Note: The Areas, Points, Outputs and Users are created from the panel, as configured in
Bosch's Remote Programming Software (RPS).
6. Click beside the Panel name.

7. Select Areas. View the Area details.
8. Select Points. View the Point details.
9. Select Outputs. View the Output details.
10. Select Users. View the User details.
11. Click Save.
Editing a Bosch Intrusion Panel

To edit and view a Bosch intrusion panel:
Adding a Bosch Intrusion Panel 438

3. Review the panel status indicator to identify the current status of the panel.
4. Edit or view the following fields:
l Panel Name
l Appliance
l Address
l Port
l Automation Passcode
l Application Passcode
l Installed
5. To view Area details, select Areas.
6. To view Point details, select Points.
7. To view Output details, select Outputs.
8. To view User details, select Users.
Viewing Auto-Synced Bosch Intrusion Panels

If intrusion panel information is updated externally to the ACM system (e.g. new identities being added in
Bosch's Remote Programming Software - RPS), the panel information is automatically synced in the ACM
system.

In ACM 6.34 and newer releases, is no longer displayed for manual syncing. Allow a few seconds
for the panel information to be automatically synced ( ) in the ACM system.
Deleting a Bosch Intrusion Panel

To delete a Bosch intrusion panel:

3. Select the panel to be deleted.
4. Click to delete the panel.
Note: The panel will be deleted and will disappear from this view.
Viewing Auto-Synced Bosch Intrusion Panels 439

Viewing Bosch Intrusion Panel Areas
To view Bosch intrusion panel areas:

3. Select a panel and click .

4. View the areas details that display.
Note: Areas are not edited in the ACM system. All editing is done in Remote Programming
Software (RPS) and updated through the panel.
Viewing Bosch Intrusion Panel Points

To view Bosch intrusion panel points:


4. Select Points.
5. View the point details that display.
Note: Points are not edited in the ACM system. All editing is done in Remote Programming
Viewing Bosch Intrusion Panel Outputs

To view Bosch intrusion panel outputs:


4. Select Outputs.
5. View the output details that display.
Note: Outputs are not edited in the ACM system. All editing is done in Remote Programming
Viewing Bosch Intrusion Panel Areas 440

Viewing Bosch Intrusion Panel Users
To view Bosch intrusion panel users:


4. Select Users.
5. View the user details that display.
Note: Users are not edited in the ACM system. All editing is done in Remote Programming
Software (RPS) and updated through the panel. However, users can be associated to
identities tokens. For more detail, refer to Assigning Bosch Intrusion Panel Users to Identities
below.
Note: It may take several minutes to retrieve user information from the panel.
Assigning Bosch Intrusion Panel Users to Identities
Bosch intrusion panel users can be assigned to identities in the ACM system. This is done in order to allow
users the ability to arm and disarm areas. This can be done:
l on a one-to-one basis (e.g. user 'Jane Smith' is associated to identity Jane Smith), or
l on a one-to-many basis (e.g. user 'Administration Team' is associated to identities Jane Smith, Robert
Jones and Andrew Wilson).
To assign users to identities, do the following:
1. Select Identities.
2. Search for the required identity and select it from the list that displays. For more detail, refer to
Searching for an Identity on page 68.
3. Click the Tokens tab.
Note: In order to save the changes on this page ensure that the Embossed Number and
Internal Number fields relating to the identity are completed.
4. In the Intrusion Users: Available the list select the user to add.
Note: The list displays username, ID of the user and panel name for each user. These details
Viewing Bosch Intrusion Panel Users 441

are displayed to distinguish between users with the same or similar names.
5. Click .
Note: The username, ID of the user and panel name displays in the Intrusion Users:
Members list. To remove an entry from this list, select the member and click to move
the member to the Intrusion Users: Available list.
6. Click .
Supported Bosch Intrusion Panels

Noted below are the details of the supported Bosch Intrusion Panels:
Panel Details
B3512 Areas: 1
Custom Functions: 1
Keypads: 4
Events: 127
Passcode Users (+1 Installer): 10
Points: 16
Programmable outputs: 3
RF Points: 8
SKED Events: 1
Firmware version: 3.0.2 or greater

B4512 Areas: 2
Custom Functions: 2
Keypads: 8
Events: 127
Points: 28
RF Points: 20
SKED Events: 5

B5512 Areas: 4
Custom Functions: 4
Keypads: 8
Events: 255
Points: 48
RF Points: 40
SKED Events: 5

B6512 Areas: 6
Custom Functions: 6
Keypads: 8
Events: 1,000
Points: 96 (8 on-board, 88 off-board and virtual)
RF Points: 88
SKED Events: 6

B9512G Areas: 32
Custom Functions: 32
Keypads: 32
Events: 10,192
Passcode Users (+1 Installer): 2,000
Points: 599
RF Points: 591
SKED Events: 80

B8512G Areas: 8
Custom Functions: 8
Keypads: 16
Events: 2,048
Points: 99
RF Points: 91
SKED Events: 40

D9412GV4 Areas: 32
Custom Functions: 16
Keypads: 16
Events: 1,000
Points: 246
RF Points: 238
SKED Events: 40
Firmware version: Version 2.0 or greater

D7412GV4 Areas: 8
Custom Functions: 4
Keypads: 16
Events: 1,000
Points: 75
RF Points: 67
SKED Events: 40
Firmware version: Version 2.0 or greater
DMP Intrusion Panel Installation

Add and configure Digital Monitoring Products (DMP) intrusion panels in ACM and monitor their areas, zones,
outputs and DMP users. For more information, see:
l Step 1: Connecting to a DMP Intrusion Panel on page 447
l Step 2: Viewing an Installed DMP Intrusion Panel and its Areas, Zones, Outputs and Users on
page 449
l Step 3: Assigning DMP Intrusion Users to Identities on page 449
Note: Before you begin, configure the DMP intrusion panel using the DMP Remote™ Link software
before you use the ACM system. Every time you add, update or delete panels in the DMP intrusion
system, the updates are automatically synced with ACM. Areas, zones, and outputs are not edited in
the ACM system. All editing is done in the Remote Link software. Identities (and their tokens) must be
managed in the ACM system.
System Overview
Figure 21: ACM system organization for DMP intrusion panel and devices
DMP Intrusion Panel Installation 445

monitoring
2 ACM appliance
3 Encrypted connection provided by the ACM appliance certificate
4 DMP Remote Link software for the configuration of areas, zones, outputs and users
5 DMP intrusion panel and keypad, including panel battery power, AC power, tamper switch, two
phone lines, wireless sensor, and printer, if installed
6 Outputs, including smoke detectors and fire alarms (graphic annunciators), if installed
7 Areas, including devices that are connected to multiple zones (A, B), if installed
For example, zone A can be connected to a wireless sensor and zone B can be connected to a
keypad on a door.
Prerequisites
Contact your integrator to purchase a 1-panel or 10-panel license. More than one license can be installed on
an ACM appliance.
Note: For general, new or updated instructions about the installation and configuration of the DMP
intrusion system and DMP Remote Link software, refer to DMP system documentation. DMP
firmware version 212, or newer, is required.
Remote Link Software Configuration
In the Remote Link software, save the following DMP panel configuration.
Prerequisites 446
A.C. Power Failure Notification
Optional. To change the default A.C. power failure notification setting (default is 1 hour):
1. Go to Program > System Options.

2. Set Power Fail Delay to 0 to receive an event in a few seconds or choose the number of hours.
Panel Encryption
Required. To enable panel encryption:
1. Go to Program > Remote Options.

2. Enter a checkmark in the Encrypt Network Remote checkbox.
Remote Key
Required. To define the remote key for the panel:
1. Go to Program > Remote Options.

2. Enter the value in Remote Key.
Note: The Remote Key must be entered in the ACM application.
Supported Devices
The ACM application is mapped to the physical configuration of DMP intrusion systems as follows.
See See - Up to 100 XR150 and XR550 Series intrusion panels in any
external external combination to each license
system system
Support for areas, zones and other items is dependent on the panel
model. See vendor documentation for the limits.
Step 1: Connecting to a DMP Intrusion Panel
Note: Before you begin, make sure the DMP intrusion panel is connected to the local network.
To add a DMP intrusion panel in ACM:
A.C. Power Failure Notification 447

2. Click the DMP Intrusion tab.
3. Click Add.
4. Enter:
Panel Name A unique name for the panel. Choose a name that will help you identify the
devices it controls. Duplicate names are not allowed.
Important: Make sure the encryption setting is enabled in the

Remote Link software. For more information, see Prerequisites on
page 446.
Panel Type Read-only field. The type or model of DMP intrusion panel.

Appliance Read-only field. The name of the ACM appliance that is connected to the
panel.
Address The IP address or hostname of the panel.
Port The TCP/IP port number configured on the panel.
Account Number The account number of the panel.
Remote Key The remote key configured in the Remote Link software.
Installed Enables communication between the ACM appliance and panel after saving.
All areas, zones, and outputs are imported in an installed state from the online panel.
Next, see Step 2: Viewing an Installed DMP Intrusion Panel and its Areas, Zones, Outputs and Users on the
next page.
Deleting a DMP Intrusion Panel
To delete a DMP intrusion panel:

2. Click the DMP Intrusion tab.
3. Select the panel to be deleted.
4. Click .
Note: Associated items such as linkages and actions, zones, areas, outputs, identity mapping,
Deleting a DMP Intrusion Panel 448

and intrusion users will also be deleted.
5. Click OK.
Step 2: Viewing an Installed DMP Intrusion Panel and its Areas, Zones, Outputs and
Users
On the DMP Intrusion tab of the external system, do any of the following:
l
Type the name of the object in the filter box ( ) to filter the list.
Click the column heading to sort the list.
l If an area, zone, or output should not be monitored, uninstall it by removing the checkmark.
The status changes to No in the Installed column.
l
Allow a few seconds for the panel information to be synced ( ) in the ACM system.
Next, see Step 3: Assigning DMP Intrusion Users to Identities below.
Step 3: Assigning DMP Intrusion Users to Identities

Assign DMP intrusion users to the tokens of their identities in the ACM system to enable the arming and
disarming of the intrusion system.
Note: A token can be mapped to only one intrusion user per panel.
Tip: Identities are defined by their DMP user name, ID and DMP panel name.
2. Click the Tokens tab.

3. In the Available list, move the identities to the Members list.
4. Click .
Generating Reports
To generate the Event Report for intrusion systems:
Step 2: Viewing an Installed DMP Intrusion Panel and its Areas, Zones, Outputs and Users 449
1. Select Reports > Reports.
2. Click Event Report.
3. Click and to add items to Find.

Include Intrusion DMP.
4. Click to save the search.
Enabling Debug Logs
Note: Enabling the appliance logs requires these delegations: Appliance Log, Appliance Log
Download, Appliance Log Show, and Appliance Log Update. Contact your support representative to
enable the Debug checkbox, if needed.
To debug using the appliance logs:
1. Select > Appliance and the Access tab.

2. Put a checkmark in the Debug checkbox next to Intrusion Service.
3. Click .
See also Accessing Appliance Logs on page 370.
Maps - Introduction
Maps are a graphical representation of your access control system. Import maps of your facility and populate
them with door, panel, subpanel, input, output, camera and global action alarm points that can be monitored.
Maps - Creating and Editing a Map

Maps can be used to help you visually locate where doors, cameras, inputs and outputs are located in your
facility. You can use any image in BMP, or GIF, JPEG, PNG, PDF, TIP and WMF format as the base of the map.
Maps are also used to display Mustering dashboard elements. For more information about setting up a
Mustering dashboard, see Mustering - Creating a Dashboard on page 338.
1. Select > Maps.

2. To add a new map, click Add New Map Template.
a. On the following Maps Template: Add New page, enter a name for the map.
b. Click Browse then locate the image file that you want to use for the map.
If you are planning to create a Mustering dashboard, select the Use Blank Canvas checkbox to
use a blank background.

c. Enter the dimensions of the map in the Re-Size To fields.
Note: If you enter a size that matches the image's aspect ratio, the map image is re-
sized accordingly. If you enter a size that does not match the image's aspect ratio, the
system centers the image then crops the sides to match the defined setting.
d. Click to save the new map template.

The page refreshes and displays the Map Template: Edit page.
3. To edit a map, click the name of a map template. The Map Template: Edit page is displayed.
4. In the Map Details area, click Add beside each item that you want to add to the map.
An icon that represents the new item is automatically added to the top left corner of the map and new
options are displayed.
a. Move the icon to the appropriate location on the map.
Tip: As you add more items, each icon is automatically added to the top left corner of
the map. It is recommended that you move each icon immediately to avoid losing track
of each item.
b. In the Map Details area, select what the icon represents. Only items that have been configured
in the system are displayed in the drop down list.
5. Repeat the previous step until you've added all the items that are required.
6. To move an item on the map, click and drag the icon to the appropriate location.
7. To edit what an icon represents, locate the item in the Map Details list and select a new option from
the appropriate drop down list.
8. To delete an item from the map, click beside the item in the Map Details area.
9. Click to save your changes. It is recommended that you save frequently. Saving also causes the
page to refresh, so any changes have not been updated in the preview may appear after you save.
10. Click to return to the Map Templates list.
Maps - Linking Maps

You have the option of linking your maps together to provide different views and different levels of detail of
the same area. After you create each map, you can link them together by using the Zoom In or Zoom
Out option to define how the maps are linked together.
For example, say an operator has detected an alarm in a building. His monitor displays the building's map,
showing the alarmed point, but he needs to get a closer look to confirm the exact position of the alarm. To do
this, he clicks which is linked to a floor view. The floor view map appears with a closer view of the alarmed
point. Once he has taken care of the alarm, he can then click to return to the general building map and
Maps - Linking Maps 451

resume general surveillance.
Complete the following steps to link maps together:
1. Select > Maps.

2. Create a map for each view that you want of your facility. For more information, see Maps - Creating
and Editing a Map on page 450.
3. From the Map Template list, click the name of the map with the widest view of the facility.
4. On the Map Template Edit page, click Add beside the Zoom In option in the Map Details area.
5. In the following drop down list, select the map with the close-up view of the facility.
6. From the top left corner of the map, move the icon to the area that the linked map represents.
8. Click to return to the Map Template list.

9. Click the name of the next map.
Select the map that you just linked to on the previous map.
10. On the Map Template Edit page, click Add beside the Zoom Out option in the Map Details area.
11. In the following drop down list, select the first map that you added a link from. Now the two maps are
linked back together.
12. From the top left corner of the map, move the icon to the edge of the map to show where the
linked map expands from.

14. Repeat the previous steps until all your maps are linked together in a logical order.
Always use the Zoom In icon to link a map with less detail (such as a building or campus) to a map with
more detail (like a floor or room). The Zoom Out icon is meant to link a detailed map to a wider, less
detailed map.
Use this procedure to create a series of links that progressively bore down to greater and greater granularity,
or telescope up to provide a larger view.
Using a Map
Access a map of your site, facility or floor plan from the Monitor page to do any of the following:
l Monitor the status of doors, panels, subpanels, inputs and outputs that are installed. For example, a
mustering station on the third floor of a building.
l Set the door mode and door commands on the map.
Note: Unlike the Physical Access > Doors or Monitor > Dashboard page which displays
Using a Map 452

all modes and commands regardless of door type, the Monitor > Maps page displays only
the modes and commands that are supported by your door or device.
l Keep track of identities as they arrive at muster stations from the Mustering dashboard.
Hardware Status
The following indicators are displayed on the map as events occur:
Green bar The hardware is operating normally.
Red square The hardware is in an alarm state. The counter in the

square shows the number of unacknowledged events.
Solid blue disk An active override is in effect on the door.
Hollow blue disk An inactive override is defined.
Red bounding box around The door is in Priority Mode.

the status bar
Viewing a Map
To access and monitor your site from a map:
Hardware Status 453

2. In the Map Templates list, click the name of a map.
Some of the displayed elements may not appear in your map or the example below.
Figure 22: Example map of a muster station on the third floor
Icon Description
Doors
Panels
Subpanels
Inputs
Outputs
Cameras
Zoom In
Viewing a Map 454

Icon Description
Zoom Out
Global Actions
Square, circle or Dashboard Elements

text object
Map Actions
The actions you can complete on a map are determined by the permissions of your assigned roles.
To... Do this...
Review The colored bar below each item displays an overview of the current
hardware status communication and power status.
l Click the icon on the map to display the control menu.
For more information about the colored hardware status bar, see the specific
hardware status page. For more information about the status colors, see Status
Colors on page 46.
Review an alarm If you see a red alarm indicator, the item on the map is in an alarm state.
l Click the alarm indicator to see the status details.
For more information about alarm actions, see Monitoring Alarms on page 37.
Modify or delete If you see solid blue disk indicator, an active override is in effect on the door. If
an override you see a hollow blue disk indicator, an inactive override is defined.
l Click the indicator to open the Doors: Overrides page to see details.
Respond to a If you see a red bounding box around the status indicator, the door is in Priority
priority situation Mode.
Important: A door is in Priority Mode when a priority situation has been

declared at your site. All doors affected by the situation are placed into
Priority Mode and only the Priority ACM Operator, responsible for
dealing with priority situations can interact with the door.
Map Actions 455

To... Do this...
Control a door Click on the map to display the control menu for the selected door.
Note: Fields in this list are dependent on the door or device. Some
commands or fields are not supported for all doors or devices.
Use the menu options to set the Door Mode. For more information, see Door
Modes on page 213.
Use the following menu options to mask or unmask alarms:
l Mask Held — Mask the Door Held Open Alarm.
l Unmask Held — Unmask the Door Held Open Alarm.
l Mask Forced — Mask the Door Forced Open Alarm.
l Unmask Forced — Unmask the Door Forced Open Alarm.
To view live video, recorded video, notes, instructions, identities, and history
click Trace to display the event transactions for the door.
Control a panel Click on the map to display the panel control menu, then for the panel or
or subpanel subpanel use these options:
l Panels
o Download Params — Download the latest system configurations
to the panel.
o Tokens — Download the tokens to the panel.
o Reset/Download — Reset and download the current system
configuration to the panel.
o APB Reset — Resets all panel and area counts to zero.
o Clock — Re-sync the panel time.
o Trace — Display the event transactions for the panel.
Note: This is the only option supported for ASSA ABLOY

IP panels.
l Subpanels
o Trace — Display the event transactions for the subpanel.
Viewing live video, recorded video, notes, instructions, identities, and history can
be performed on the event transactions.
Map Actions 456

To... Do this...
Control an input Click the on the map to display the input control men for the input.
Use these options to mask or unmask the input:
l Mask — Mask the input.
l Unmask — Unmask the input.
Control an Click the on the map to display the output control menu for the output.
output
Use these options to initiate output actions:
l On — Activate the output.
l Off — Deactivate the output.
l Pulse — Pulse the output.
Display video Click the on the map to display the Camera Video window.
Open a linked Click to display a linked map, or to display a linked map.

map
Monitor the If there is a Mustering dashboard configured on the map, it may appear as a line
dashboard of text or as a shape with text inside.
The dashboard displays the number of identities in the area and may include the
name of the area. In Example map of a muster station on the third floor on
page 454, the dashboard is the gray square.
Click the dashboard to see a list of all the identities that are in the area. Click
outside the pop-up dialog to hide the identities list. Click the First Name or Last
Name to view the identity.
Map Actions 457

Priority Situations
For Mercury Security doors.
Your site may have requirements for your ACM system to support your organization's emergency
procedures. Typical emergency procedures might be for potentially life-threatening situations (such as fires,
tornadoes, earthquakes, physical attacks), and hazardous situations (such as chemical spills, gas leaks,
explosions). Your ACM appliance can provide automated access control of doors connected to Mercury
panels in unpredictable emergency and high-priority situations, including lockdowns and evacuations, to
support your organization's existing operating procedures.
Important: The functionality to respond to high-priority situations is not supported by HID® VertX®
panels. If you only have HID VertX doors at your site, the procedures provided for high-priority
situations using the ACM system do not apply. If you have a mix of HID VertX and Mercury Security
doors, do not include HID VertX doors in any group of doors that are associated to your Priority Door
Policies or Priority Door Global Actions.
If you have Mercury Security doors operating with SimonsVoss SmartIntego wireless locks, refer to
SimonsVoss SmartIntego documentation. The ACM lockdown priority operation is superseded by
the Escape and Return state of the SimonsVoss wireless lock when it becomes engaged in a
lockdown situation.
To respond to a priority situation a Priority ACM Operator activates a Priority Door Policy, which is a
specialized Door Policy that is configured to immediately apply a Priority Mode to a group of doors upon
activation. Optionally, the policy can also set the Door Mode of all the doors to a single value, such as Door
Locked No Access for an emergency lockdown.
While a door is in Priority Mode, it is highlighted in red wherever it appears in the ACM client, such as the
Doors listing page and on maps or dashboards. These doors can be controlled only by Priority ACM
Operator, who have a Priority Role that allows them this control. A Priority ACM Operator can issue
commands to individual doors in Priority Mode to allow safe exit of trapped people, to allow emergency
responders in, or to isolate persons of interest, and so on.
WARNING — Risk of loss of functionality. While a priority situation is active, any configuration change
made to the ACM system may have unintended consequences. To avoid this risk during an active
priority situation, do not allow any ACM operator other than the Priority ACM Operator to make (or
approve) any configuration changes, including changes in unaffected partitions. For more information,
see on page 465
Upon deactivation of the policy, the Priority Mode is removed and the doors return to the door mode they are
configured to be in at the time. To secure this functionality from unauthorized access, it can all be isolated in a
secure Priority Partition.
Priority Situations 458

Planning Priority Door Policies
Analyze all existing door policies at your site before designing and configuring any Priority Door Policies. You
must be familiar with all the door policies that are configured at your site. The settings in all of your non-
priority and priority door policies must be designed, configured, and tested to ensure that there are no
unexpected results after these polices are applied over each other in all possible combinations.
For example, a Priority Door Policy is configured that overwrites only a subset of the door settings. Some of
those settings are set in the base configuration of a door, and some are reset by the non-priority door policy
that is normally in effect at the time the Priority Door Policy is activated. After the priority situation is over and
the Priority Door Policy is deactivated, the currently scheduled non-priority policy is re-activated and applies
its settings.
The priority door policies or other related priority items you configure to support them in the ACM system
must be:
l Aligned with the emergency procedures in effect at your site.
l Securely isolated so that they cannot be interrupted by lower priority activities.
l Regularly tested and rehearsed to ensure they function as expected, and corrected if they do not.
Note: You can configure Priority Door Global Action pairs. However, Priority Door Global Actions
are not recommended; see Limitations of Priority Global Actions on page 467. Priority Door Global
Actions are specialized Global Actions for doors (the first Priority Global Action applies a Priority
Mode, and optionally sets the door mode to a single known value, to a group of doors upon
activation, and the second Priority Global Action restores those doors to the mode they are
configured to be in at the time).
If you have previously used a pair of Global Actions to respond to a priority situation, consider replacing them
with a single Priority Door Policy, as recommended.
Important: A Priority Door Policy is the most secure way to control access with the ACM system in an
emergency situation. It is also more robust than a Priority Door Global Action. A Priority Door Policy
will stay in effect on the doors it is installed on even if:
l The ACM appliance:

o Is restarted
o Fails over to a backup appliance
Planning Priority Door Policies 459

l The door or door panel:
o Goes offline
o Is rebooted
o Is disconnected from the access control network.
Priority Door Policies, Global Actions, and Modes

When activated, a Priority Door Policy or Priority Door Global Action sets all doors in an associated group of
doors into Priority Mode. Additionally, it can set all these doors to a single configurable door mode (for
example, Locked - No Access) regardless of their current mode when activated.
While a Priority Door Policy or Priority Door Global Action active, only Priority ACM Operator is authorized to
issue commands to doors in Priority Mode can change the door mode on specific doors (for example to allow
safe exit of trapped people, to allow emergency responders in, or to isolate persons of interest). After the
situation is resolved, you can remove the Priority Door Policy or Priority Door Global Action and all the doors
will return to the mode they normally are in at the current time.
Priority Door Policies and Priority Door Global Actions and the associated door Priority Mode are at the top of
the ACM system's priority hierarchy. For information about the priority hierarchy, see Priority Hierarchy on
page 467.
A Priority Door Policy is created in the same way as any other door policy, with specific settings that define it
as a Priority Door Policy. A Priority Global Action is created in the same way as any other global action, except
that it can only be configured for the Door Mode.
Priority Door Policies and Emergencies

Use Priority Door Policies to support your organization's critical emergency response procedures, which
might include lockdowns and evacuations.
To ensure the security of Priority Door Policies, isolate everything required to manage the Priority Door Policy
in a Priority Partition, accessible only to the Priority ACM Operator responsible for managing the ACM system
during an emergency.
The operators, roles and groups associated with Priority Door Policies must be configured to conform to your
organization’s operating procedures:
l Roles to trigger a Priority Door Policy, and the assignment of those roles to operators, must be defined
so that the policy can be activated only in conformance with those operating procedures.
l Door groups that are affected by a Priority Door Policy must be defined so that they cannot be
inadvertently altered.
Priority Door Policies, Global Actions, and Modes 460

Secured priority situation response functionality is configured in the following order:
1. Priority Partition: A specialized partition that isolates all the functionality required for a secured
response to a priority situation.
2. Priority Role: A specialized role for authorized ACM operators responsible for operating the ACM
system during priority situations. The Priority Role must be assigned the following delegations:
l Policies Set Priority to configure a Priority Door Policy.
l Global Action Set Priority to configure a Priority Global Action.
l Doors Commands During Priority to allow manual control of doors in Priority Mode during a
priority situation
3. Priority ACM Operator: An ACM operator authorized to operate the ACM system during
emergencies. This operator is assigned membership of the:
l Priority Role
l Priority Partition
4. Priority Group: A Group that is a member of the Priority Partition that is reserved to associate doors
with Priority Door Policies.
5. Priority Door Policy: A specialized Door Policy that enables the Priority Mode and, optionally, a single
known value for the Door Mode, to be assigned to a group of doors upon activation. A door in Priority
Mode is highlighted in red wherever it appears in the ACM client, such as the Doors listing page and
on maps, while a Priority Door Policy is in effect.
For the procedure on securely isolating a Priority Door Policy, see Configuring a Secure High-Priority
Emergency Response below.
Configuring a Secure High-Priority Emergency Response

You can maximize the security of your high-priority emergency response procedure by isolating everything it
requires the ACM system to manage in a dedicated partition, referred to as a Priority Partition. If your site:
l Does not use partitions, you only need to create one Priority Partition.
l Does use partitions, you should determine how many Priority Partitions you require. Whether you need
more than one Priority Partition depends on the complexity and requirements of your organization.
Consider:
o One Priority Partition for your entire site.
o Several Priority Partitions that do not correspond to the existing ones.
o A matching set of one Priority Partition for each existing partition.
It is recommended that you define as few Priority Partitions and Priority Door Policies as possible. For
example, do not configure multiple Priority Door Policies with the same settings in the same Priority Partition.
To secure your high-priority emergency response using a Priority Partition, complete the following steps:

1. Create a partition, and give it a name that identifies it clearly as the Priority Partition.
2. Add all the doors at your site that you want to control in any emergency or high-priority situation as
members of the Priority Partition. Typically this would be all the doors managed by the ACM system.
3. Create a Priority Role for the Priority ACM Operator and add the following delegations as members:
l Policies Set Priority: Allows the identity to configure a Priority Door Policy.
l Global Action Set Priority: Allows the identity to configure a Priority Global Action.
l Doors Commands During Priority: Allows the identity to use commands to change the
attributes of a door in priority mode.
WARNING — Assign these three delegations only to the Priority Role reserved for Priority ACM
Operator.
4. Add a new identity, and give it a name that identifies it clearly as the Priority ACM Operator. Assign the
high-priority identity as a member of the:
l Priority Role
l Priority Partition
Alternatively, you can add an existing administrator identity as a member of the Priority Role and the
Priority Partition, although this will be less secure.
WARNING — Risk that users other than the Priority ACM Operator can change door modes when a
Priority Door Policy is in effect. Users with the Doors Commands During Priority delegation can use
commands to change the door mode. To avoid this risk, assign the Doors Commands During Priority
delegation only to the Priority Role and assign the Priority Role only to the high-priority ACM system
administrator.
5. Create a group, and give it a name that identifies it clearly as the Priority Group. Assign the Priority
Group to the Priority Partition.
6. Create a Priority Door Policy. Assign the Priority Door Policy to the Priority Partition.
7. A Priority Door Policy is created in the same way as any other door policy, with the following five
specific settings on the Mercury tab:
a. Set the Lock Function to None.
b. Set Custom Schedule to 24 Hours Active.
The Priority checkbox is enabled.
You can use a custom schedule other then the recommended 24 Hours Active. However, the
intent of a Priority Door Policy is that it should be used on demand, not on a schedule. When
you set the Custom Schedule option for a Priority Door Policy, be aware of the following:
l Holiday and custom schedules must be configured with matching values for the Type
option so that they can interact.
l Do not set Custom Schedule to Never Active. With this setting, the doors affected go
into Priority Mode when the policy is activated, but their door mode is not updated with
the value in the policy.
l Do not associate a Priority Door Policy with a schedule that has fixed start and end
times. The purpose of a Priority Door Policy is to respond to an unanticipated situation
when it occurs and to stay in effect until the situation is resolved. A Priority Door Policy is

intended to be activated on demand only.
l The maximum number of custom schedules is 255 if you use a custom schedule other
than 24 Hours Active.
c. Click the Priority checkbox.
d. Use the Door mode option to set the mode for all doors to have when this policy is active. For
example Locked No Access for a policy tor a lockdown, or Unlocked for a policy for an
evacuation. Leave this option blank if you want to individually reset each door's mode from its
normal mode after the policy is activated.
e. Set the Offline Door Mode to the same value as the Door Mode. This ensures that, if the door
is disconnected from network or power during the emergency, the door mode will remain in the
same as the mode set by the Priority Mode while the door is disconnected, or after power is
restored.
CAUTION — Set the offline door mode to match the priority mode. This ensures that the door
stays in the same mode in the event of a subpanel going offline or the subpanel is uninstalled
while the Priority Door Policy is in effect.
f. Optionally, if there are additional settings that must be retained on all the doors affected by this
policy, ensure they are correctly configured. For example, if there is a door policy that contains
settings for other options that must be retained through an emergency, and that policy might be
installed on these doors at the time of the emergency.
8. Create two Global Actions: to activate the Priority Door Policy, and to deactivate the Priority Door
Policy. Assign the Global Actions to the Priority Partition.
Create the Global Actions with the following specific settings:
a. Assign each global action to the Priority Partition.
b. Set Type to Policy Install/Un-install.
c. Set the Sub-Type to:
l Install for the global action to activate the Priority Door Policy
l Un-install for the global action to deactivate the Priority Door Policy
d. In each global action, add the Global Door Policy as the only member.
9. Create a new map template. Place the door icons and global actions created in the previous steps on
the map. Assign the map to the Priority Partition.
10. In the Priority Group, associate the Priority Door Policy with all the doors in the Priority Partition.
Testing a Secure Priority Emergency Response in the

ACM System
To test that all of your emergency-related configurations and activities are securely isolated:

1. Log out of the ACM client.
2. Log in as the Priority ACM Operator.
3. Activate the Priority Door Policy:
a. Navigate to the priority map.
b. Click on the icon for the global action to activate the Priority Door Policy.
4. Verify that the doors enter into Priority Mode:
l On the priority map, a red bounding box appears over the status bar under each door icon.
Hover the mouse over the status bar to see the Door in Priority mode tooltip.
l On the Doors listing page, all users will see a red bounding box over each door in Priority
mode. Commands to change the door made are enabled for the Priority ACM Operator.
5. Log out as the Priority ACM Operator and log in as an ACM client user who is not a member of the
Priority Partition, and verify that the user:
l Can see:
o On any map other than the priority map, a red bounding box over the status bar under
the door icon for any door in Priority Mode on that map. Hover the mouse over the status
bar to see the Door in Priority mode tooltip.
o On the Doors listing page, a red bounding box over each door in Priority mode. All
commands that affect doors are disabled for the user.
l Cannot see any of the members of the Priority Partition:
o The Priority Door Policy on the Policy list
o The two policy install/uninstall global actions for the Priority Door Policy on the
Global Actions list.
o The priority group on the Groups list.
o The map template on the Maps list or the Monitor > Maps page.
l Cannot initiate any door commands on any door in priority from the Doors list.
6. Log in as the Priority ACM Operator.
7. Deactivate the Priority Door Policy:
a. Navigate to the priority map.
b. Click on the icon for the global action to deactivate the Priority Door Policy.
8. Log out as the Priority ACM Operator and log in as an ACM client user who is not a member of the
Priority Partition, and verify that the user:
l Can see:
o On any map other than the priority map, that there is no red bounding box over the
status bar under the door icon for any door that was in Priority Mode on that map.
o On the Doors listing page, there is no red bounding box over each door in Priority mode.
l Can initiate any door commands on any door from the Doors list according to their role.

Activating the High-Priority Emergency Response
Several techniques can be used to make it as easy as possible for authorized personnel to trigger a Priority
Door Policy in the event of an emergency.
A Priority ACM Operator can trigger the installation of priority-enabled policy in response to an emergency,
from an ACM monitoring station:
l
From the Policies list, click in the Installed column next to the name of the Priority Door Policy for
the type of emergency.
l From the map associated with the Priority Partition, click on the global action icon for installing the
Priority Door Policy for the type of emergency.
You can also configure or install ways for other users to trigger an emergency response by the ACM system
using Global Linkages. For example you can:
l Issue priority emergency badges to security personnel to swipe at any card reader.
l Install panic buttons wired in to the access control system at strategic locations.
These configurations are complex and should be planned and completed by a skilled security professional
with detailed knowledge of the ACM system.
During a High-Priority Situation

There are several actions that the Priority ACM Operator must complete immediately after a Priority Door
Policy is installed to ensure that the priority policy is not interrupted while it is in effect:
l Check that there are no scheduled jobs running or about to start and if there are, stop them from
running or starting.
WARNING — Risk that doors in priority mode can be returned to the mode they normally are in at the
current time while a Priority Door Policy or Priority Global Action is in effect. A scheduled job or global
linkage that affects a door panel (such as a door install or uninstall, door grant, panel install or uninstall,
policy install or policy uninstall, and others) will terminate a Priority Door Policy or Priority Global Action
on the doors affected by the interruption. A door bulk update will also terminate a Priority Global
Action. To avoid this risk, stop any scheduled job or global linkages from running or starting, during the
emergency.
l Verify that there are no global actions or global linkages about to be initiated.
l Verify that there are no other users with any of the high-priority delegations active during the
emergency situation. The only exception might be if your organization requires the deployment of
more than one Priority ACM Operator working in coordination.
WARNING — Risk that users other than the high-priority ACM system administrator can change door
modes when a Priority Door Policy is in effect. Users with the Doors Commands Set Priority delegation
can use commands to change the door mode. To avoid this risk, assign the Doors Commands Set
Activating the High-Priority Emergency Response 465

Priority delegation only to the Priority Role and assign the Priority Role only to the high-priority ACM
system administrator.
l Secure the ACM appliance to ensure that it does not accidentally reboot.
l If you are using peer-to-peer or hot standby replication , issue all commands from the same appliance
from which the Priority Door Policy or Priority Door Global Action was issued.
During the emergency, the Priority ACM Operator can use the ACM client to issue commands to individual
doors in Priority Mode. This allows the Priority ACM Operator to grant access to emergency responders,
provide safe exits for trapped people, or isolate persons of interest.
If there are ACM system partitions not affected by the active Priority Door Policy, normal operations can
continue in those partitions.
While a Priority Door Policy is active, the Priority ACM Operator must ensure that the Priority Partition is
isolated and all activities affecting the ACM system are under strict control. In the Priority Partition:
l Do not allow anyone other than the Priority ACM Operator to use the ACM client in the Priority
Partition, and limit the number of people using the ACM client in any other partitions (if any).
l Do not activate additional Priority Door Policies.
WARNING — Risk of unpredictable results installing multiple Priority Door Policies. If you install a
second Priority Door Policy while one is already in effect, the latest created policy takes precedence,
which may not be the most recently installed policy. To avoid this risk, never activate a second Priority
Door Policy until after the first policy is deactivated.
l Do not allow any configuration, maintenance, or scheduled maintenance operations.
l Do not activate any Priority Door Global Actions.
The Priority Door Policy is active until it is deactivated. Deactivation restores doors to their normal door mode
for the current time.
Deactivating a Priority Door Policy

The ability to end a Priority Door Policy must be restricted to ensure that your site is fully secured before
normal access is restored. The Priority ACM Operator is responsible for deactivating the Priority Door Policy
after it is determined that the emergency situation has been resolved and it is safe to return the ACM system
to its normal operating state.
The deactivation of an active Priority Door Policy can only be completed from an ACM monitoring station,
regardless of how the policy was triggered:
l
From the Policies list, click in the Installed column next to the name of the active Priority Door
Policy.
l From the map associated with the Priority Partition, click on the global action icon for uninstalling the
active Priority Door Policy.
Deactivating a Priority Door Policy 466

Limitations of Priority Global Actions
Priority Global Actions are not recommended for emergency situations. A Priority Door Global Action is much
less robust than a Priority Door Policy. Never use a Priority Door Global Action while a Priority Door Policy is
activated.
WARNING — There is a risk that, while a Priority Global Action is in effect, doors in priority mode can be
returned to the mode they normally are in at the current time. Any action that interrupts the functioning of the
ACM appliance or the door panels will terminate a Priority Global Action on the doors affected by the
interruption. Some examples of actions that can cause this are:
l Failover of the ACM appliance
l Reboot of the ACM appliance or a door panel.
l Network disconnection, or a site-wide power recycling or outage.
l Change to any door attribute on the Doors editing page while a door is in priority mode.
l Reset/Download from the Panel Status page.
l Scheduled job or global linkage for a door bulk update.
WARNING — There is a risk that not all doors in a large number of doors set to Priority Mode will correctly
return to their normal operating state when a Priority Global Action is used to restore a large number of doors.
To avoid this risk, when you define a Priority Global Action for doors, also define a group of doors containing
all the doors associated with that Priority Global Action, and then to restore the doors to their normal
operating state:
l Navigate to the Doors listing page.
l Filter the list of doors by the group associated with the Priority Global Action.
l Select all the doors in the group.
l Click the Door Action button and select Restore from the drop-down list.
WARNING — Risk of unpredictable results using Priority Global Actions in either a peer-to-peer replication or
hot-standby environment:
l Priority Global Actions executed on one appliance are not mirrored on the other appliance. When a
global action is executed on one appliance, it only affects the doors that are connected to that
appliance.
l While a Priority Global Action is in effect, and there is a failover to the hot-standby appliance, affected
doors can be returned to the mode they normally are in at the current time.
To avoid these risks, use a Priority Door Policy. Priority Door Policies installed on one appliance in either a
peer-to-peer replication or hot-standby environment are mirrored on the other appliance.
Priority Hierarchy
There are three priority levels for door mode changes in the ACM software. Within each level, the possible
actions also have an order of precedence. A change to a door state that has a higher priority and precedence
Limitations of Priority Global Actions 467

than the change that defined the current state takes effect whenever it is activated. A change with a lower
priority and precedence than the change that defined the current state will never take effect. Changes with
equal priority and precedence take effect in the order they are made.
Commands such as Grant issued directly in the ACM client have the highest priority, and can be activated at
any time. For example, during a lockdown priority situation, when all doors are automatically locked, the
Priority ACM Operator can grant access to specific doors from the Maps page or the Door list page for first
responders.
Priority Operator Rights

Type of Change Act On
Required
Highest UI commands on doors in Single door in the affected Rights on a priority status
priority state group of doors door
Active Priority Door Policy Predefined group of doors
associated with the policy
Active Priority Global Predefined group of doors
Action associated with the global
action
Medium UI Commands with rights Single door in a non- Rights on a non-priority
on a non-priority status priority state status door
door
UI Commands without None
rights
Wireless door lock Wireless lock functions
function
Note: The ACM lockdown priority operation is superseded by the Escape

and Return state of the SimonsVoss wireless lock when it becomes
engaged in a lockdown situation.
The above three Medium priority changes supersede each other when
sequentially applied. Any one of them will supersede an Override command.
Override
Priority Hierarchy 468

Priority Operator Rights
Type of Change Act On
Required
Low Custom Schedule
Non-priority Door Policy
Non-priority Door Global

Action
Macro/Trigger
Base Mode
Job Specification (two

global actions)
Door template
Triggering Door Lockdown By Panic Button or Red Card

Mercury Security doors only.
To set up a panic button or red card that locks down a door in a high priority situation and releases the locked
door after the lockdown issue is resolved:
1. Add a Policy to trigger the panic button and add another policy to release it.
Example:
Name
Lockdown policy install
Lockdown policy uninstall
For more information, see Adding a Policy on page 96.
2. Panic button only. Choose a method to associate each policy with the subpanel, input or output.
l Add a Global Action to activate the panic button and add another global action to deactivate it.
Associate those actions with the policy by moving them to the Members list.
Example:
Name Type Sub-Type Members
Global action name install Policy Install/Un-Install Install Policy name
Global action name uninstall Policy Install/Un-Install Un-Install Policy name
For more information, see Adding Global Actions on page 333.

l Add a Global Linkage to associate each policy with the input or output on the Actions tab by
moving them to the Members list.
Example:
Actions tab:
Name Members
Linkage name install Global action name install
Linkage name uninstall Global action name uninstall
3. Red card only. Add a Global Linkage to associate each lockdown policy with an identity and its token
on the Devices, Events and Tokens tabs. Move the input or output, door event and token to the
Members list.
Example:
Devices tab:
Name Type Members
Linkage name install Door Input on subpanel N Address N
Linkage name uninstall Door Input on subpanel N Address N
Events tab:
Name Members
Linkage name install Local Grant - not used
Linkage name uninstall Choose an event to release the locked door
Tokens tab:
Name Type Members
Linkage name install Door Input on subpanel N Address N
Linkage name uninstall Door Input on subpanel N Address N
4. When a lockdown situation arises, activate the lockdown policy for the panic button or red card by
pressing the panic button or swiping the red card on the reader, respectively.
5. When the lockdown situation is resolved, deactivate the lockdown policy.
On the Policies list, click next to the lockdown policy.
Example:
Name

Lockdown policy uninstall
For more information, see Policies list on page 97.

Overriding Door Modes and Schedules
Note: Overrides are only supported on Mercury panels using firmware 1.27.1 or later. Your current
version of the ACM software includes compatible firmware you can download to your panels. You
can create up to 100 overrides on a single panel.
Use overrides to apply a temporary one-time change to the normal door mode of a selected set of doors. For
example, to extend or delay opening or closing hours, or for closing on a snow day. Overrides can be
scheduled to take effect immediately, or in advance (for example, for a one-time occurrence such as an all-
access event next week in a normally locked room). When an override ends, the door or doors each return to
the mode they are supposed to be in according to their schedule at that time. Overrides are not recurring. For
almost all purposes, an override should be deleted as soon as it has ended as there is a maximum number of
overrides per panel.
Override functionality is designed to work best with your regular door schedules. Overrides have a medium
priority-level in the ACM priority hierarchy and many higher-priority actions take precedence. For more
information about this hierarchy see Priority Hierarchy on page 467. For example a manual command to a
specific door, or a priority lockdown command to a set of doors, takes precedence. If a priority lockdown
occurs while an override is in effect, the priority lockdown becomes active. After the priority lockdown has
been cleared by the Priority ACM Operator, the override becomes active on the doors if it is still in effect,
otherwise each door returns to its regular schedule for that time.
On Mercury panels using firmware earlier than 1.29, an override starts and ends at the beginning of the
minute of its scheduled time. On Mercury panels using firmware 1.29 or later, an override starts at the
beginning of the minute and ends at the end of the minute of its specified time. Time overlaps are not
supported. For example, you can specify 1:00 - 1:30 and 1:31 - 1:59 overrides.
Important: You can only add an override to doors you are authorized to access that are on the same
ACM server. However, you can modify or delete any override, and your changes will apply to all the
doors in the override, including doors you are not normally authorized to access. If partitioning is
used in your ACM system and you expect users authorized for specific partitions to modify an
override, define individual overrides for each partition rather than a single override that spans
multiple partitions. Otherwise, users can modify overrides that affect doors they cannot see and be
unaware of any changes.
Adding an Override
You add an override by selecting a set of doors on the Door list, clicking the Override control button,
specifying the door mode, and the start and end times of the override.
To add an override:
Overriding Door Modes and Schedules 472

2. Click the checkbox for each door you want to add to the override.
If you want to override all the doors you can see in your system, click All at the top of the left column to
select all the doors.
3. Click Override.
4. Select the door action or door mode you want applied to all the doors in the override:
l Disabled — Stops the doors from operating and allows no access.
l Unlocked — Unlocks the doors.
l Locked No Access — Locks the doors.
l Card Only — This door can be accessed using a card. No PIN is required. See Appendix:
pivCLASS Configuration on page 529.
l Pin Only — This door can only be accessed by entering a PIN at a keypad. No card is required.
l Card or Pin — This door can be accessed either by entering a PIN at a keypad or by using a
card at the card reader.
Note: The Pin Only and Card or Pin door modes are not available if the Allow duplicate PINs
5. Specify the date and time settings for Start Day/Time and End Day/Time. Both are required. Time is
specified to the minute. On Mercury panels using firmware earlier than 1.29, the override begins and
ends at the beginning of the minute you specify. On Mercury panels using firmware 1.29 or later, an
override starts at the beginning of the minute and ends at the end of the minute of its specified time.
Time overlaps are not supported. For example, you can specify 1:00 - 1:30 and 1:31 - 1:59 overrides.
Tip: To start an override immediately, click Now in the Start Day/Time pop-up window.
Important: The date and time the override is active is based on the settings at the controller
panel for the doors, not the ACM server. If your ACM server is in a time zone ahead of the time
zone of your ACM client and the doors and panels you control, you may see an error message
that the override occurs in the past. You can ignore this error message if your settings in the
local time zone are correct.
6. Add an optional note to provide relevant information for future use.

7. If partitions are used, you can restrict the override to only those doors in the Doors Selected list that
are in a specific partition.
8. Click Add.
Adding an Override 473

Accessing the List of Overrides
You can access a list of all overrides from the Doors page:
l Click Overrides: (above the list of doors) to open the Doors: Overrides page for all defined overrides.
Tip: The total number of defined overrides is displayed next to Overrides:.
You can access a list of all overrides for a specific door from the Doors page.
l A blue disk in the Override column for a door indicates overrides are defined for the door. The disk
has two states:
o : An override is currently active.
o
: An override is defined, but not active. An inactive override can be an override that has been
completed but not deleted, or an override that has not yet started.
l Click the disk to open the Doors: Overrides page listing all the overrides for that door.
Tip: Completed overrides must be manually deleted. Overrides are intended to be temporary
actions for use on an as-needed basis. Most overrides should be deleted as soon as they are
completed and no longer needed. Keep only override definitions that are highly likely to be re-used
as defined, with only the start and end time and date settings modified.
For more information, see Modifying and Deleting Overrides below.
Monitoring Overrides
Use the Maps feature to monitor overrides on doors. When a door that is displayed on a map is included in an
override, the status indicator for the door is updated to display a blue disk. The disk indicates overrides are
defined for the door. The disk has two states:
l : An override is currently active.

l
: An override is defined, but not active. An inactive override can be an override that has been
completed but not deleted, or an override that has not yet started.
For example, if an override is active on a door, a solid blue disk is displayed next to the green bar:
For more information, see Using a Map on page 452.
Modifying and Deleting Overrides

On the Doors: Override page you can select an override to modify or delete overrides.
Accessing the List of Overrides 474

To modify the override:
1. Click on the override name in the Name column to open the Override: Edit page.
If partitions are used, and doors you cannot see are included in the override "One or more doors in this
override are in partitions you cannot see. These doors will be affected by your changes if you
continue." is displayed. You can modify all the override settings, but only add or remove doors that you
are authorized to see.
2. Make the modifications you need.
l All settings can be modified if partitions are not used in your ACM system.
l In the Doors Selected section, you can add doors to the override by highlighting them in the
Available list and moving them to the Members list.
3. Click Save.
To edit the base settings of any door in the override:
l Click on the door name in the Selected column.
Changes made to the base settings do not take effect until the override expires.
To delete an override:
l
Click .
The time the override is deleted is logged by the system. When an active override is deleted, the door
or doors each return to the mode they are supposed to be in according to their schedule at that time.
Modifying an Override
To modify the override:
1. Select the door action or door mode you want applied to all the doors in the override:
l Disabled — Stops the doors from operating and allows no access.
l Unlocked — Unlocks the doors.
l Locked No Access — Locks the doors.
l Card Only — This door can be accessed using a card. No PIN is required. See Appendix:
pivCLASS Configuration on page 529.
l Pin Only — This door can only be accessed by entering a PIN at a keypad. No card is required.
l Card or Pin — This door can be accessed either by entering a PIN at a keypad or by using a
card at the card reader.
Note: The Pin Only and Card or Pin door modes are not available if the Allow duplicate PINs

2. In the Doors Selected section, add doors to the override by highlighting them in the Available list and
moving them to the Members list.
Important: If partitions are used, only doors that are not in any partition or are in the partitions
you are authorized to see are displayed in the Doors Selected list.
3. Specify the date and time settings for Start Day/Time and End Day/Time. Both are required. Time is
specified to the minute. On Mercury panels using firmware earlier than 1.29, the override begins and
ends at the beginning of the minute you specify. On Mercury panels using firmware 1.29 or later, an
override starts at the beginning of the minute and ends at the end of the minute of its specified time.
Time overlaps are not supported. For example, you can specify 1:00 - 1:30 and 1:31 - 1:59 overrides.
Tip: To start an override immediately, click Now in the Start Day/Time pop-up window.
Important: The date and time the override is active is based on the settings at the controller
panel for the doors, not the ACM server. If your ACM server is in a time zone ahead of the time
zone of your ACM client and the doors and panels you control, you may see an error message
that the override occurs in the past. You can ignore this error message if your settings in the
local time zone are correct.
4. Add an optional note to provide relevant information for future use.

5. If partitions are used, you can restrict the override to only those doors in the Doors Selected list that
are in a specific partition.
6. Click Save.

Setting Personal Preferences
To set up your personal preferences, select > My Account from the top-right. Navigate through the
tabbed pages and edit the details as required. The tabbed pages include:
l Profile: use this page to edit your account details and preferences.
l Batch Jobs: use this page to view the batch jobs that have been run from your account.
l Job Specification: use this page to add, edit, activate/ deactivate, or delete batch jobs.
Changing the Password in My Account

While you are logged in to the ACM system, you can choose to change your password any time from the My
Account page.
1. In the top-right, select > My Account.

2. On the following Profile page, enter your current password in the Old Password field.
3. In the Password field, enter your new password.
As you enter your new password, the status bar underneath will tell you the strength of your password.
Red is weak, while green is very strong. Use a combination of numbers, letters, and symbols to
increase the password strength. The password must be at least 4 characters long.
4. Click to save your new password.

A system message tells you that you will be logged out.
5. When the login screen appears, log in with your new password.
Setting Your Preferred Language

To set your preferred language in the ACM system:
1. Select > My Account.

2. Select the language in Locale.
3. Click Save.
4. Log out and log back in.
Note: The online help is provided only in English (US), French, German, Italian and Spanish. If
you set your system to a language other than these five languages, English (US) online help will be
the default.
Setting Personal Preferences 477

Scheduling Batch Jobs
Batch jobs are processes, such as generating reports, that are performed automatically, according to a
schedule.
From the Job Specification page, you can create the following batch jobs:
Generating a Batch Report

Batch reports are custom reports generated on a schedule and which can contain more data than reports
generated from the Reports list, the Report Edit page or from the Report Preview page.
There are no length limits on any batch reports generated in the CSV spreadsheet format. In PDF format, the
Audit Log report is limited to 13,000 records, the Identity Summary Report is limited to 100,000 records, and
the Transaction Report is limited to 50,000 records.
WARNING — Risk of system becoming unusable. Scheduling large reports on separate but overlapping
schedules, may cause memory problems that can result in the ACM system being unusable. To avoid this risk,
schedule the start times for large reports, such as audit logs in any format, to allow for each report to finish
before the next starts.
Perform this procedure to generate a custom report on a schedule.
1. Select >My Account and click the Job Specification tab.

The Job Specification page is displayed.
2. Click the Add button.

The Job Specification - General dialog box is displayed.
3. In the Appliance drop down list, select the appliance on which this job will run.
Only those appliances previously defined for this system appear in this option list.
If only one appliance is used for this system (the default), this field is automatically populated.
4. In the Name field, enter a name for this batch job.
5. From the Type drop down list, select Report.
After you select the job type, additional options are displayed.
l From the Report drop down list, select the report you want to batch.
Only custom reports appear in this list.
l From the Output Format drop down list, select the format in which you want this job generated.
6. Click Next.
The following screen shows the select report definition. Click Back to select a different report.
7. Click Next to continue.
Scheduling Batch Jobs 478

8. On the following page, select how often the batch report is generated. From the Repeat drop down
list, select one of the following options:
l Once —- The report will be generated once. Click the On field to display the calendar and
select a specific date and time.
l Hourly — The report will be generated at the same minute of every hour. Enter the minute
when the report is generated at each hour. For example, if you want the report generated at
1:30, 2:30, etc. then you would enter 30.
l Daily — The report will be generated every day at the same time. Enter the specific time when
the report is generated in 24 hour time format.
l Weekly — The report will be generated each week on the same day and time. Select the
checkbox for each day the report will be generated, and enter the specific time in 24 hour
format.
l Monthly — The report will be generated each month on the same day and time. Select the days
when the report is generated and enter the specific time in 24 hour format. Shift + click to
select a series of days, or Ctrl + click to select separate days.
9. Click Next.
A summary is displayed.
Select the Send Email checkbox if you want to receive an email copy of the report after it has been
generated. In the following field, enter your email address.
10. Click Submit to create this job.
11. To activate or deactivate this job, select the job and click Activate/Deactivate
Applying an Identity Profile to a Group Using a Job Specification

Create and schedule an Identity Update batch job to apply a new, updated or temporary identity profile to all
of the identities in a predefined group.
After you make changes to an identity profile, the identities previously created from the identity profile are
not automatically updated. Using a job specification and scheduling the job is one of the ways that these
changes can be applied.
Scenarios to apply an identity profile to a group of identities include:

l To apply a set of standard settings. When you have many identities defined with non-standard
settings, create a group containing these users and a new profile containing the standard settings.
Then apply the new profile to the group of identities.
l To apply modified settings in a commonly used identity profile. After you make changes to an identity
profile, the identities created from the identity profile are not automatically updated. You need to
create a batch job to apply these changes. Create a group of all the users that were created using this
profile, and then apply the modified profile to that group. If the profile is frequently modified, you can
create a repeating schedule.
l To apply a profile temporarily to a group. When you have identities that require a different profile for a
short time that cannot be cannot be satisfied using a policy, you can use an Identity Update batch job

to "turn on" a temporary profile for a specified duration, and then "turn off" that profile by replacing it
with a permanent profile. If the temporary profile is used repeatedly in a predictable manner, you can
create a repeating schedule.
Note: A group containing all of the identities previously created from the identity profile must be
created before the changes can be applied to the group. If the required groups have not been
created, contact your System Administrator.
When you choose to create an Identity Update job, you have the option to apply a new, updated or temporary
identity profile to the group.
A temporary door template is one that is applied for a specific period of time (either once or repeating) You
can apply a temporary door template to a group by using the Off Identity Profile option. Once the new identity
profile expires, the original identity profile is applied.
To create an Identity Update job specification:
1. Select > My Account and click the Job Specification tab.


The Job Specification dialog box is displayed.
5. From the Type drop down list, select Identity Update.
After you select the job type, more options are displayed.
l From the Group drop down list, select the group of identities that you want to change.
l From the Identity Profile drop down list, select the identity profile that you want to apply to the
group. If you are applying a temporary profile, this is the "on" profile.
l From the Off Identity Profile drop down list, select the identity profile to be applied if you want
an identity profile applied temporarily (that is, you want the identity profile to expire).
l From the Output Format drop down list, select the format for the report that is generated when
the job is complete.
The Job Specification - Schedule dialog box is displayed.

7. From the Repeat drop down list, select how often this batch job is run. Then specify the time you want
the profile to be applied. If you selected an Off Identity Profile, you also specify when the Off profile is
applied.
l Once —- The batch job is run once. Click the On and Off fields to display the calendar and
select a specific date and time.
l Hourly — The batch job is run at the same minute of every hour. Enter the minute when the
batch job is run at each hour. For example, if you want the job to run at 1:30, 2:30, etc. then you
would enter 30.
l Daily — The batch job is run every day at the same time. Enter the specific time when the job is
run in 24 hour time format.
l Weekly — The batch job is run each week on the same day and time. Select the checkbox for
each day the job will run, and enter the specific time in 24 hour format.
l Monthly — The batch job is run each month on the same day and time. Select the days when
the job will run and enter the specific time in 24 hour format. Shift + click to select a series of
days, or Ctrl + click to select separate days.
8. Click Next.
10. To activate or deactivate this job, select the job and click Activate/Deactivate.
Applying a Door Template to a Group Using a Job Specification

For ASSA ABLOY, Avigilon and Mercury Security doors.
Create and schedule a Door Update batch job to apply a new, updated or temporary door template to all of
the doors in a predefined group.
After you make changes to a door template, the doors previously created from the door template are not
automatically updated. Using a job specification and scheduling the job is one of the ways that these changes
can be applied.
Scenarios to apply a door template to a group of doors include:

l To apply a set of standard settings. When you have many doors defined with non-standard settings,
create a group containing doors and a new template containing the standard settings. Then apply the
new template to the group of doors.
l To apply modified settings in a commonly used door template. After you make changes to a door
template, the identities created from the door template are not automatically updated. You need to
create a batch job to apply these changes. Create a group of all the doors that were created using this
template, and then apply the modified template to that group. If the template is frequently modified,
you can create a repeating schedule.
l To apply a template temporarily to a group. When you have doors that require a different template for
a short time that cannot be cannot be satisfied using a policy, you can use an Identity Update batch job
to "turn on" a temporary template for a specified duration, and then "turn off" that template by
replacing it with a permanent template. If the temporary template is used repeatedly in a predictable
manner, you can create a repeating schedule.

Note: A group containing all of the doors previously created from the door template must be created
before the changes can be applied to the group. If the required groups have not been created,
contact your System Administrator.
When you choose to create a Door Update job, you have the option to apply a new, updated or temporary
door template to the group.
A temporary door template is one that is applied for a specific period of time (either once or repeating). You
can apply a temporary door template to a group by using the Off Door Template option. Once the new door
template expires, the original door template is applied.
To create a Door Update job specification:
1. Select > My Account and click the Job Specification tab.


The Job Specification - General dialog box is displayed. All options marked with * are required.
5. From the Type drop down list, select Door Update.
l From the Group drop down list, select the group of doors that you want to change.
l From the Door Template drop down list, select the door template that you want to apply to the
group.
l From the Off Door Template drop down list, you have the option to select to an alternative
door template when the first door template expires.
The Job Specification - Schedule dialog box is displayed.
7. Select how often this batch job is run. From the Repeat drop down list, select one of the following
options:
If you selected an Off Door Template, you will have the option to enter when the Off template is
applied. Otherwise, only the On field is displayed.

l Once —- The batch job is run once. Click the On field to display the calendar and select a
specific date and time.
would enter 30.
8. Click Next.
10. To activate or deactivate this job, select the job from the list in the Batch Job Specifications window
and click Activate/Deactivate.
Scheduling a Global Action

Perform this procedure to schedule global actions.
Note: The global actions must be created before they can be scheduled. If the required global
actions have not been created, contact your System Administrator.

The Job Specification page appears.

5. From the Type drop down list, select Global Action.
Scheduling a Global Action 483

l From the Global Action drop down list, select global action to perform. Only configured global
actions will appear on the list.
l From the Off Global Action drop down list, you have the option to select to a global action that
is performed after the first global action expires.
7. On the following page, select how often this batch job is run. From the Repeat drop down list, select
one of the following options:
would enter 30.
Note: If you selected an Off Global Action, you will have the option to enter when the Off
action occurs. Otherwise, only the On field is displayed.
8. Click Next.
10. To activate or deactivate this job, select the job and click Activate/Deactivate.
Setting Batch Door Modes

Perform this procedure to change the door mode for a set of doors.


5. From the Type drop down list, select Door Mode.
l
From the Available list, select the required doors then click to add it to the Members list.
l From the On Door mode drop down list, select the door mode that you want to apply to the
selected doors.
l From the Off Door mode drop down list, select the door mode that you want to apply to the
doors when the On action is complete.
l Select the Activate checkbox to make the door modes active.
7. On the following page, select how often this batch job is run. From the Repeat drop down list, select
one of the following options:
would enter 30.
Note: If you selected an Off Door Mode, you will have the option to enter when the Off action
occurs. Otherwise, only the On field is displayed.
8. Click Next.

Permissions and Rights
The following table describes the permissions and rights the default Admin Role allows. All roles are made up
of delegations. Each delegation is made up of rights.
Permissions Rights
View Events page System Summary Listing
System Summary Screen Refresh
System Summary Get Layout
System Summary Update Layout
Monitor Listing
Monitor Notes Show
Monitor Instructions Show
Monitor Identity Show
Search for events Spork Listing
Spork Search
Monitor/Search Filters Save
View Alarms Alarm Monitor Listing
Monitor Notes Show
Monitor Instructions Show
Alarms Code Photo
Monitor View Actions
Maps-Alarms Show
Respond to alarm activity Alarm Monitor Acknowledge
Alarm Monitor Clear
Alarms Create Notes
Alarm Monitor Acknowledge All
Alarm Monitor Clear All
Alarm Monitor Identity

Permissions Rights
View verifications Swipe & Show
Swipe & Show Get Doors
Swipe & Show Get Door Name
Get Photo
Monitor Identity Show
View the status of assigned hardware Monitor Listing
Monitor Panels Status
Monitor Periodic Update
Monitor Appliance Status
Control assigned hardware Doors Grant
Doors Disable
Doors Unlock
Doors Lock
Doors Restore
Doors Mask Held
Doors Mask Forced
Doors Unmask Held
Doors Unmask Forced
View and monitor status on assigned maps Maps Monitor Listing
Maps Show
Maps Show Generate Image
Maps Show Image
Maps View Listing
Maps Trace
Mustering dashboard drill-down
View the intrusion status Monitor Intrusion Panel Status

Permissions Rights
Control the assigned Bosch intrusion panels Bosch Intrusion Area Disarm
Bosch Intrusion Area Perimeter Delay

Arm
Bosch Intrusion Area Perimeter Force

Delay Arm
Bosch Intrusion Area Perimeter Force

Instant Arm
Bosch Intrusion Area Perimeter Instant

Arm
Bosch Intrusion Area Primary Delay Arm
Bosch Intrusion Area Primary Force Delay

Arm
Bosch Intrusion Area Primary Force

Instant Arm
Bosch Intrusion Area Primary Instant Arm
Bosch Intrusion Area Reset Sensors
Bosch Intrusion Area Silence
Bosch Intrusion Output Activate
Bosch Intrusion Output Deactivate
Bosch Intrusion Panel Command Execute
Bosch Intrusion Panel Create
Bosch Intrusion Panel Delete
Bosch Intrusion Panel Detail Listing
Bosch Intrusion Panel Detail Update
Bosch Intrusion Panel Edit
Bosch Intrusion Panel Listing
Bosch Intrusion Panel Monitor Status
Bosch Intrusion Panel Monitor Update
Bosch Intrusion Panel New
Bosch Intrusion Panel Show
Bosch Intrusion Panel Sync
Bosch Intrusion Panel Update

Permissions Rights
Bosch Intrusion Point Bypass
Bosch Intrusion Point Unbypass
Control the assigned DMP intrusion panels DMP Intrusion Area Bypass Instant Arm
DMP Intrusion Area Disarm
DMP Intrusion Area Force Instant Arm
DMP Intrusion Area Refuse Instant Arm
DMP Intrusion Output Activate

Momentary
DMP Intrusion Output Activate Pulse
DMP Intrusion Output Activate Steady
DMP Intrusion Output Activate Temporal

Code
DMP Intrusion Output Deactivate
DMP Intrusion Panel Command Execute
DMP Intrusion Panel Config Update
DMP Intrusion Panel Create
DMP Intrusion Panel Delete
DMP Intrusion Panel Detail Listing
DMP Intrusion Panel Entities Update
DMP Intrusion Panel Listing
DMP Intrusion Panel Monitor Status
DMP Intrusion Panel Monitor Update
DMP Intrusion Panel New
DMP Intrusion Panel Reset Sensors
DMP Intrusion Panel Show
DMP Intrusion Panel Silence Alarm
DMP Intrusion Panel Sync
DMP Intrusion Zone Bypass
DMP Intrusion Zone Unbypass

Permissions Rights
View live and recorded video Cameras Show
Cameras Login
Monitor Cameras Show Video
Add new identities. Cannot update fields after initial identity Identities My Account
setup
Identities Listing
Identities Show
Identities Advance Search
Identities Date Search
Identity Profiles Listing
Identity Profiles Show List
Identities New
Identities Create
Identities Edit
Identity Profiles Populate Values
Identities Custom Layout Save
Force the identity to change the password at the next login to Force Password Change
the ACM system.
Add, modify, and update available roles Identities Roles List
Identities Roles Update
Add, modify, and update tokens Tokens Listing
Tokens Show
Tokens New
Tokens Create
Tokens Edit
Tokens Update
Tokens Set Free Pass
Identity Profiles Tokens Listing
Add and modify groups Identities Groups List
Identities Groups Update

Permissions Rights
View assigned access permissions Identities Show Access
Identity Profiles Show Access
Capture live photos and save Identities Image Capture
Identities Image Save
Identities Code Image
Identities Photo Capture
Add and upload photos Identities Photo Edit
Identities Photo Update
Identities Photo Render
Identities Upload Photo
View transactional data Identities Transactions
Print and issue badges Identities Badge Show
Identities Badge Screen
Identities Print Badge
Identities Badge Render
Identities Update Badge Preview
Identities Update Badge

Permissions Rights
Perform REST actions Identities Photo List REST
Identities Photo Show REST
Identities Photo Create REST
Identities Photo Update REST
Identities Photo Delete REST
Appliance REST Generation Transaction
REST Appliance Status Display
REST Get Doors
REST Get Identities
REST Get Identity
REST Get Inputs
REST Get Panels
REST Get Right Groups
REST Get Roles
REST Get Subpanels
REST call to list canned macros by the distinguished name (dn) Canned Macros Show
of the door, input or output
List canned macros by macro name Canned Macros Listing
View Identity Policies Identities Policies Show
Identities Policies Listing
Add, modify, and delete Identity Policies Identities Policies Create
Identities Policies Edit
Identities Policies New
Identities Policies Update
Identities Policies Delete

Permissions Rights
View reports Reports Index
Report Show
Grant Access/Report
Reports Show Grid
Reports Custom Reports
Edit, preview, generate, and delete reports Reports Edit
Reports New
Reports Create
Reports Get Report Preview
Reports Quick Report
Reports Dynamic Criteria
Reports Destroy
View Doors Doors Listing
Doors Show
Interlocks Listing
Doors Show Status
Doors Effective Policy
Doors Events List
Doors Policy
Access Levels Listing
Access Levels Show
Firmware Listing
Macro Commands Listing
Macro Commands Show

Permissions Rights
View Panels Panels Listing
Panels Show
Triggers Listing
Panels Show Status
Panel Effective Policy
Panel Event List
Firmware Apply View Log
View EOL Resistance Resistance Levels Listing
View Areas Areas Listing
Areas Show
View Card Formats Card Formats Listing
Card Formats Show

Permissions Rights
Add and modify Doors ASSA ABLOY Doors Sync
Doors New
Doors Edit
Doors Create
Doors Update
Doors New/Edit Appliance Change
Doors New/Edit Manuf Change
Doors Grant
Interlocks New
Interlocks Create
Interlocks Edit
Interlocks Update
Interlocks Type Change New/Edit
Interlocks Subpanel Change New/Edit
Interlocks Trans Change New/Edit
Interlocks Command Change New/Edit
Interlocks Arg1 Change New/Edit
Interlocks Arg2 Change New/Edit
Interlock Trx Code Change New/Edit
Doors Disable
Doors Unlock
Doors Lock
Doors Download Status
Doors - Download Parameters
Doors - Reset
Doors - Download Tokens
Doors Restore
Doors Mask Held
Doors Mask Forced
Interlocks with Type

Permissions Rights
Doors Unmask Forced
Doors Unmask Held
Doors Cmacro Save
Doors Cmacro Type Change
Doors Cmacro Op Type Change
Doors Transactions
Doors Assign Camera Type Change
Doors Event Create
Doors Event Edit
Doors New/Edit Avail HW
Doors Elevator I/O Naming
Doors Edit - Panel Change
Firmware New
Firmware Create
Firmware Apply
Macro Commands New
Macro Commands Edit
Macro Commands Create
Macro Commands Update

Permissions Rights
Add and modify Panels Panels New
Panels Edit
Panels Create
Panels Update
Panels Appliance Change New/Edit
Panels Manf Change New/Edit
Panels Status Details
Panels Send Commands
Panels Parameters Download
Panels Tokens Download
Panels Reset Download
Triggers New
Triggers Edit
Triggers Create
Triggers Update
Triggers New/Edit Macro Change
Triggers New/Edit Type Change
Triggers New/Edit Subpanel Change
Triggers New/Edit TrxType Change
Triggers New/Edit Category Change
Trigger New/Edit Trx Code Change
Panel Rebuild Access Levels
Panel Download Status
Macro Commands Name Change
Panels Model Change New/Edit
Panels Set Free Pass
Panels Event Create
Panels Event Edit

Permissions Rights
Add and modify Areas Area New
Area Edit
Area Create
Area Update
Add and modify EOL Resistance Resistance Levels New
Resistance Levels Edit
Resistance Levels Create
Resistance Levels Update
Add and modify Card Formats Card Formats New
Card Formats Edit
Card Formats Create
Card Formats Update
Card Formats New/Edit Change Format
Card Format Type Change
Delete hardware Doors Delete
Interlocks Delete
Doors Cmacro Remove
Doors Event Delete
Firmware Delete
Macro Commands Delete
Panels Delete
Triggers Delete
Panel Events Delete
Resistance Levels Delete
Card Formats Delete

Permissions Rights
View Events Events Listing
Events Show
Events Colors Listing
Events Colors Show
Subpanels Event List
Inputs Event List
Outputs Event List
Event Logs Show
Event Logs Listing
Event Policies Show
Event Policies Listing

Permissions Rights
Edit Events Events New
Events Edit
Events Create
Events Update
Event Colors New
Event Colors Edit
Event Colors Create
Event Colors Update
Subpanels Event Create
Subpanels Event Edit
Inputs Event Create
Inputs Event Edit
Outputs Event Create
Outputs Event Edit
Change Event Type
Event Logs Create
Event Logs Edit
Event Logs New
Event Logs Update
Event Policies Create
Event Policies New
Event Policies Edit
Event Policies Update

Permissions Rights
Delete Events Events Delete
Events Colors Delete
Subpanels Event Delete
Inputs Event Delete
Outputs Event Delete
Event Logs Delete
Event Policies Delete
View Global Actions Global Action Listing
Global Action Show
Edit Global Actions Global Action New
Global Action Edit
Global Action Create
Global Action Update
Global Action Edit Type Change
Global Action Execute
Delete Global Actions Global Action Destroy
View Global Linkages Global Linkage Listing
Global Linkage Show
Edit Global Linkages Global Linkage New
Global Linkage Edit
Global Linkage Create
Global Linkage Update
Global Linkage Edit Device Type
Global Linkage Edit Token Search
Global Linkage Edit Token Adv Search
Global Linkage Remote Execute
Delete Global Linkages Global Linkage Destroy

Permissions Rights
View Roles Roles Listing
Roles Show
Roles Show Access
View Policies Area Policies Listing
Area Policies Show
Area Policies Listing
Area Policies Show
Policies Listing
Policies Show
View Groups Groups Listing
Groups Show
View Access Groups Access Groups Listing
Access Groups Show
Access Group Show Access
View Delegations Delegations Listing
Delegations Show
View Partitions Partitions List
Partitions Show
View Routing Groups Routing Group Listing
Routing Group Show
View Elevator Access Levels Elevator Access Listing

Permissions Rights
Add and modify Roles Roles New
Roles Edit
Roles Create
Roles Update
Roles Create Copy
Roles Delete
Roles Assign Delegation
Roles Assign Groups
Roles Assign Ports
Roles Assign SO
Add and modify Policies Area Policies New
Area Policies Edit
Area Policies Create
Area Policies Update
Door Policies New
Door Policies Edit
Door Policies Create
Door Policies Update
Policies New
Policies Edit
Policies Create
Policies Update
Add and modify Groups Groups New
Groups Edit
Groups Create
Groups Update
Groups Member Assign
Groups Policies Assign
Groups/Identity Advanced Search
Groups/Identity Advanced Criteria

Permissions Rights
Add and modify Access Groups Access Groups New
Access Groups Edit
Access Groups Create
Access Groups Create Copy
Access Groups Update
Access Groups Door Assign
Add and modify Delegations Delegations New
Delegations Edit
Delegations Create
Delegations Create Copy
Delegations Delete
Delegations Modify Members
Add and modify Routing Groups Routing Group New
Routing Group Edit
Routing Group Create
Routing Group Update
Routing Group Update Groups
Routing Group Update Types
Add and modify Elevator Access Levels Elevator Access New
Elevator Access Create
Elevator Access Edit
Elevator Access Update
Delete Policies, Groups, Access Groups, Routing Groups, Area Policies Delete
Elevator Access Levels
Door Policies Delete
Policies Delete
Groups Delete
Access Groups Delete
Routing Groups Delete
Elevator Access Delete

Permissions Rights
View Appliance Appliances Listing
Appliances Show
Appliance Ports Listing
Serial Ports Listing
Routes Listing
Routes Show
Appliance Software Listing
Appliance Virtual Port List
Appliance Software View Log
Appliance Backup Listing
Appliance Backup Show
Appliance Status Display
Appliance Log Download
Appliance Log Show
Appliance Backup Directory List

Permissions Rights
Add and modify Appliances Appliances New
Appliances Edit
Appliances Create
Appliances Update
Appliance Ports Edit
Appliance Ports Update
Serial Ports Edit
Serial Ports Update
Routes Edit
Routes New
Routes Create
Routes Update
Appliance Log
Appliance Log Update
Appliance Software New
Appliance Software Create
Appliance Software Apply
Appliance Set System Date Time
Appliance Backup Edit
Appliance Backup Create
Appliance Backup/Show Files
Appliance Set Free Pass
Appliance Show system Time
Appliance Backup View Log
Appliance Email Test
Appliance Repl Subscription Add
Appliance Repl Subscription Add

(remote)
Appliance Repl Subscription Remove

(remote)

Permissions Rights
Appliance Failover
Appliance Failback
Appliance Replication Update
Appliance Replication Status
Run Backup Now
Appliance Transaction Replication Status
Appliance Backup Directory List, remote
Appliance Backup Type USB
Node Server Status Check
Delete Appliance Appliances Delete
Routes Delete
Appliance Software Delete
View System Setup Schedules Listing
Schedules Show
Holidays Listing
Holidays Show
Event Types Listing
Event Types Show
Get Event Types for Device
Get Alarm Types for Device

Permissions Rights
Add and modify System Setup Schedules New
Schedules Edit
Schedules Create
Schedules Update
Holidays New
Holidays Edit
Holidays Create
Holidays Update
Event Types New
Event Types Edit
Event Types Create
Event Types Update
Delete System Setup Schedules Delete
Holidays Delete
Event Types Delete
View User Fields and User Lists User Defined Tabs Listing
User Defined Tabs Show
User Defined Fields Listing
User Defined Fields Show
User Lists Index

Permissions Rights
Add and modify User Fields and User Lists User Defined Tabs New
User Defined Tabs Edit
User Defined Tabs Create
User Defined Tabs Update
User Defined Tabs Edit/Assign
User Defined Fields New
User Defined Fields Edit
User Defined Fields Create
User Defined Fields Update
User Lists Edit
User Lists Update
Delete User Fields and User Lists User Defined Tabs Delete
User Defined Tabs Delete
View System Settings External Domains Show
External Domains Index
System Settings Index
Add and modify System Settings System Settings Update
System Settings Edit
External Domains Update
External Domains Edit
External Domains New
External Domains Create
External Domains List Certificates
External Domains Create Certificates
External Domains Load Certificates
System Settings Edit (in place)
System Settings Enhanced Access Level
Delete System Settings External Domains Destroy
External Domains Destroy Certificates

Permissions Rights
View Badge Designer Badge Templates Listing
Badge Templates Show
Add and modify badge templates in the Badge Designer Badge Templates New
Badge Templates Edit
Badge Templates Create
Badge Templates Update
Badge Templates Generate Image
Badge Templates Add Details
Badge Template Copy
Badge Template Preview
Delete badge templates in the Badge Designer Badge Templates Delete
View External Systems Image Devices Listing
Image Devices Show
Exacq Server List
Exacq Show
External Systems Listing
External Systems Show
Avigilon Show
Avigilon Server List
Salient Server List
Salient Server Show
Salient Cameras List
Milestone Server List
Milestone Server Show
Avigilon Server Camera List
Avigilon Server Status
Intrusion Panel Listing
Intrusion Panel Show
Intrusion Panel Detail Listing

Permissions Rights
Add and modify External Systems Image Devices New
Image Devices Edit
Image Devices Create
Image Devices Update
Exacq Server Create
Exacq Server Edit
Exacq Server New
Exacq Update
External Systems Edit
External Systems Update
External Systems New
External Systems Create
Avigilon Server Create
Avigilon Server Edit
Avigilon Server New
Avigilon Update
Salient Server New
Salient Server Create
Salient Server Edit
Salient Server Update
Salient Cameras PTZ Control
Milestone Server New
Milestone Server Edit
Milestone Server Create
Milestone Server Update
Avigilon Server Cameras
Avigilon Server Add/Update Cameras
HID Origo Connection Create
HID Origo Connection Delete
HID Origo Connection Listing

Permissions Rights
HID Origo Connection Send Invitation
HID Origo Connection Update
Intrusion Panel New
Intrusion Panel Create
Intrusion Panel Edit
Intrusion Panel Update
Intrusion Panel Detail Update
SALTO Server Create
SALTO Server Listing
SALTO Server Update
Virdi Biometric Create
Virdi Biometric Listing
Virdi Biometric Update
Delete External Systems Image Devices Delete
Exacq Server Delete
External Systems Delete
Avigilon Server Remove
Salient Server Delete
Milestone Server Delete
SALTO Server Delete
Virdi Biometric Delete
Mercury Security panels only Certificates Create
Add, modify and delete custom certificates Certificates Destroy
Certificates Edit
Certificates Listing
Certificates New
Certificates Show
Certificates Update

Permissions Rights
View Maps Maps Listing
Maps Show
Add and modify Maps Maps New
Maps Edit
Maps Create
Maps Update
Maps Edit and Add Detail
Delete Maps Maps Delete
View Collaboration Collaboration Listing
Collaboration Show
Edit Collaboration Collaboration New
Collaboration Edit
Collaboration Create
Collaboration Update
Collaboration Type Change New/Edit
Collaboration Assign Event Types
Collaboration Connection Test
Collaboration Table Change
Collaboration Database Search
Collaboration Edit (gw-change)
Collaboration Identity Write/Logs
Collaboration Identity Read/Logs
Identity Collabs Preview
Collaboration CSV Recurring, Directory

List
Collaboration CSV Recurring, remote
Delete Collaboration Collaboration Delete

Permissions Rights
View account details, batch jobs, and job specifications Identities MyAccount
Batch Job Specification Index
Batch Job Specification New
Batch Job Index
View Batch Update Schedules
Create, edit, and delete batch jobs and job specifications Batch Job Specification Edit
Batch Job Specification Activate
Batch Job Specification PostProcess
Batch Job Specification

JobSpecificationList
Batch Job Specification Create
Batch Job Specification Update
Batch Job Create
Batch Job New
Batch Job Update
Batch Job List
Batch Job Output
Custom Report Schedule
Reset Custom UI Settings
System Settings Localize
Batch Job Specification Destroy
Batch Job Destroy

Troubleshooting
Events
To view events, do one of the following:
l Select Monitor > Events and search for events.
l Select Physical Access > Doors, the door name and then the Transactions tab.
Note: The default event names and event types in this section may be customized in your ACM
application. For more information, see Customizing ACM System Events on page 331.
Appliance Events
Source Type: Appliance
Event Description
System
CPU Load High The five-minute CPU load average across all threads is running at a high
level.
CPU Load Normal The five-minute CPU load average across all threads is running at a low-to-
medium level.
Database Disk Space Low Less than 10% (inclusive) of free disk space is available in the database disk
partition.
Database Disk Space Normal More than 10% of free disk space is available in the database disk partition.
Network Port 1 Link Down The link is down for network port-1 on the appliance.
Network Port 1 Link Normal The link is up for network port-1 on the appliance.
Network Port 2 Link Down The link is down for network port-2 on the appliance.
Network Port 2 Link Normal The link is up for network port-2 on the appliance.
Programs Disk Space Low Less than 5% (inclusive) of free disk space is available in the programs disk
partition.
Programs Disk Space Normal More than 5% of free disk space is available in the programs disk partition.
System Memory Low Less than 10% (inclusive) of system memory (RAM) is available on the
appliance.
System Memory Normal More than 10% of system memory (RAM) is available on the appliance.
Troubleshooting 515
Door Events
When a door is not operating as expected, review the event transactions.
Note: The event transactions depend on events that are sent from locks and devices over various
technologies. Allow time for the events to appear in the ACM application.
Source Type: Door

ASSA ABLOY IP doors refer to hard-powered PoE (Power over Ethernet) locks and battery-powered Wi-Fi locks.
SALTO doors refer to online and standalone doors.
Event Description Device
Communications
Door service was offline The audit buffer got full before audits could be Control locks, LE, LEB,
before system audit retrieved from the lock. NDE, NDEB, RM, RU
Out of Sync The door is out of sync with the DSR and ACM ASSA ABLOY IP doors
system.
RF loss / Lock offline Any of: Control locks, LE, LEB,

LE (RSI mode), NDE,
l Communication to the linked device over
NDEB, RM, RU
radio frequency was disconnected.
l Lock is offline.
Door held open
Door held masked A door held masked event occurred. ASSA ABLOY IP doors
Door held open A door held open event occurred. ASSA ABLOY IP doors
and Schlage AD-400,
LE, LEB, LE (RSI mode),
NDE, NDEB, RM, RU
Door held unmasked A door held unmasked event occurred. ASSA ABLOY IP doors
Forced Door
Forced door A forced door event occurred. ASSA ABLOY IP doors

and Schlage AD-400,
LE, LEB, LE (RSI mode),
NDE, NDEB, RM, RU
Forced door masked A forced door masked event occurred. ASSA ABLOY IP doors
Forced door unmasked A forced door unmasked event occurred. ASSA ABLOY IP doors
Door Events 516

Invalid Credential
Attempt to open Locked Access was attempted when the door mode was ASSA ABLOY IP doors
Door set to Locked No Access.
Duress Detected - Access A duress code was detected at the door, and Mercury doors with PIN
Denied therefore, access was denied. keypad
Expired Card Attempt No access granted when an expired token was ASSA ABLOY IP doors,
swiped at the reader. Control locks, LE, LEB,
NDE, NDEB
For LE, LEB, NDE and NDEB locks. In the
Deactivate Date field, the token expires at the
start of the specified hour. For example, if
17:00:00 is specified, the token expires at
16:00:00.
For ASSA ABLOY IP and Control locks. In the

Deactivate Date field, the token expires at the
start of the specified minute and second. For
example, if 17:10:10 is specified, the token expires
at 17:10:00.
To resolve this issue, do any of:

l Set the Deactivate Date to the next date.
l Set the Deactivate Date to the same date
and next hour (for LE, LEB, NDE and NDEB),
or next minute and second (Control).
Invalid Card - Before An invalid card was detected before its activation. Schlage AD-400 and
Activation LE (RSI mode)
Invalid card format An invalid card format occurred. Schlage AD-400 and
LE (RSI mode)
Invalid Card Schedule Access was attempted outside of the allowed Any door
date and timed access for the identity.
Unknown card The swiped card is not known to the door ASSA ABLOY IP doors
because the token was not downloaded. and Schlage AD-400
and LE (RSI mode)
Invalid PIN code has been The card was not granted access to the door due Any door
entered to an invalid PIN code.
Valid card at an A valid card was presented at an unauthorized Schlage AD-400 and
unauthorized reader reader. LE (RSI mode)
Maintenance
Door Events 517

Door has been restored The door mode or custom mode has been SALTO online door
restored.
Magnetic Tamper A magnetic tamper event occurred. LE, LEB, NDE, NDEB,
RU, RM
Token capacity exceeded A token cannot be added due to the lock capacity. ASSA ABLOY IP doors,
Schlage ENGAGE locks
Power
Door Critical Battery The battery power supply was running critically ASSA ABLOY IP doors,
low on the device. Control locks, LEB,
NDEB, RM, RU
Door low battery The battery power supply was running low on the ASSA ABLOY IP doors,
device. Control locks, LEB,
NDEB, RM, RU
System
Deadbolt A deadbolt was used. Schlage AD-400
Door has been added For Offline Wi-Fi locks. The lock on the door has LE, LEB, NDEB
been externally commissioned through the
ENGAGE gateway application.
Door has been locked The door has been locked. Any door
Door has been unlocked The door has been unlocked. Any door
Door in card only mode A door in Card Only mode was detected. Schlage AD-400 and
LE (RSI mode)
Door opened The door is open. ASSA ABLOY IP,

Mercury Security, HID
and Schlage IP doors
Escape and Return Unlock The Escape and Return mode is active (Exit SALTO doors with no
Active Leaves Open or Toggle and Exit Leaves Open control unit
door mode).
Escape and Return Unlock The Escape and Return mode is inactive (Exit SALTO doors with no
Inactive Leaves Open or Toggle and Exit Leaves Open control unit
door mode).
Host Rex, Door not used A request to exit was initiated but the door was Schlage AD-400
not used.
Door Events 518

Host Rex, Door used A request to exit was initiated and the door was Schlage AD-400
used.
Host Rex, Non-verified A request to exit was initiated (non-verified). Schlage AD-400
Host Rex, Use Pending A request to exit was initiated and door use is Schlage AD-400
pending.
Motor Stall A motor stall occurred. Schlage AD-400
Rex Pressed, Door used The door handle was used. ASSA ABLOY IP,
Mercury Security, HID,
SALTO and Schlage IP
doors; LE (RSI mode)
Tamper
Bezel Tamper A bezel tamper occurred. Schlage AD-400 and

LE (RSI mode)
Bluetooth Tamper - Door A Bluetooth configuration device was connected Control locks, LEB,
to the door, which caused the door to disconnect NDEB, RM, RU
from the gateway.
To resolve this issue:

l Disconnect the configuration device.
Keyswitch A physical key was used to access the door. ASSA ABLOY IP and
Schlage AD-400
Reader/Device Tamper A tamper event occurred in any of: Control locks, LEB,
NDEB, RM, RU
l The reader or linked device.
l The cover of the crash bar or push bar.
User audit
Door grant request A door grant request was initiated. Schlage AD-400 and
LE (RSI mode)
Valid Credential
Door Events 519

Keypad Code Grant The correct access code was entered at the door SALTO online doors
that is configured for Keypad Only door mode.
Note: No event is logged when an

incorrect keypad code is entered at the
door.
Invalid key The access code on the key is no longer valid. SALTO online doors
Local Grant Access was granted to an identity that has access Any door
to the door and has swiped the card.
Local Grant - Duress - Not Access was granted to an identity that has access Mercury doors with PIN
Used to the door and has not entered a duress keypad keypad
code or duress PIN during a security situation.
Local Grant - Duress - Used Access was granted to an identity that has access Mercury doors with PIN
to the door and has entered a duress keypad keypad, SALTO online
code or a duress PIN during a security situation. doors
Control Lock Events

IP-connected doors only
Source Type: Door
System
Deadbolt Any of: Control locks

l The deadbolt was locked (extended) after a Local
Grant event.
l Deadbolt usage.
NORMAL - Deadbolt Any of: Control locks

l The deadbolt was unlocked (retracted) after a
Local Grant event.
l Deadbolt usage.
RU and RM Device Events

IP- and RSI-connected doors only
Source Type: Door
Control Lock Events 520

Communications
DPS communication failure A DPOS communication failure has occurred. RU, RM
Maintenance
Dogging mechanism failure The latch hook in the push bar did not release and RU
requires intervention by personnel to unlock the door.
Latch mechanism failure The latch bolt did not retract during exit and requires RU, RM
intervention by personnel.
System
Unlock on next exit request The ACM system sent an Unlock on next exit request to RU
the door.
Tamper
Door has been locked The door in DNE state was locked by personnel using the RU, RM
manually hex key.
Door has been unlocked The door was unlocked by personnel using the hex key RU, RM
manually and pressing the push bar.
Door security compromised The latch in the push bar was not extended due to RU, RM
tampering of the closed door.
Unlock on next exit (manual) The latch in the push bar was retracted by personnel RU, RM
using the hex key, which sets up the door to be unlocked
by the next person who presses the push bar.
Intrusion Events
DMP Intrusion Events
Source Type: DMP Intrusion Area, DMP Intrusion Output, DMP Intrusion Panel, DMP Intrusion User, DMP Intrusion Zone
Note: Some events are dependent on DMP firmware versions.
DMP Intrusion Area
Source Type: DMP Intrusion Area
Event Description
DMP Area armed The area was armed.
DMP Area armed (All areas armed) All areas in the system were armed.
Intrusion Events 521

Event Description
DMP Area disarmed The area was disarmed.
DMP Late to arm The area was armed outside of the schedule assigned to the area.
DMP Intrusion Output
Source Type: DMP Intrusion Output
Event Description
- -
DMP Intrusion Panel
Source Type: DMP Intrusion Panel
Event Description
Event Type: Intrusion DMP
DMP * * AMBUSH * * A silent alarm was initiated by a user during an emergency situation.
DMP A.C. power restored The A.C. power was restored to the panel.
DMP ALERT: System recently An alarm message was generated within five minutes of the panel
armed being armed. Informs the central station that the panel was armed
before the alarm occurred.
DMP ALERT: Unauthorized Entry An area was disarmed by a user outside of their scheduled access
time. Access setup is dependent on the hardware model.
Note: To resolve this event, do any of the following:
l Add a schedule to the profile.

l Delete all access schedules from the profile.
l Add an access area to a profile that is in a schedule.
l Change one of the assigned schedules.
DMP Automatic recall test OK The panel is communicating as expected in an automatic

communication test.
DMP Communication line level The panel detected that communication to the cellular tower was
restored restored.
DMP Late to Close The system was not armed at its scheduled closing time.
DMP Lockdown cleared A lockdown was cleared, either using the keypad by a DMP user or
remotely by a Remote LInk user.
DMP Intrusion Output 522

Event Description
DMP Lockdown initiated A lockdown was issued in an emergency situation to lock all doors
designated as public, either using the keypad by a DMP user or
remotely by a Remote Link user.
DMP Panel Restart The panel was restarted.
DMP Receiver EEPROM Error The panel detected an Electronically Erasable Programmable Read
Only Memory (EEPROM) error in equipment, such as a printer or line
card.
DMP Service Code Start A service authorization code was entered by service personnel
before accessing panel operations or programming. An
authenticated code can be used for 30 minutes before requiring
authentication again.
DMP Service Code Stop The service authorization code must be authenticated again (30
minutes have elapsed).
DMP Standby battery restored The panel battery voltage was restored to greater than 12.6 VDC at
the last battery test.
DMP TROUBLE OVERRIDE A system trouble message was acknowledged by a DMP user who
selected OKAY when arming the system.
DMP Telephone line 1 restored The panel detected that its main telephone connection is operational.
DMP Telephone line 2 restored The panel detected that the second telephone line is operational.
DMP WARNING: A.C. power failure The main A.C. power is not present or is less than 85% of the
expected voltage. The warning is sent after the expiration of the
panel programmed delay time.
DMP WARNING: Alarm bell The panel's main bell circuit was silenced by a code entry at a panel
silenced keypad.
DMP WARNING: Low The panel detected that communication to the cellular tower was
communication line level missing for more than 180 seconds.
DMP WARNING: Low standby The standby battery fell below 11.9 VDC. The battery is tested at 15
battery minutes past each hour.
DMP WARNING: Telephone line 1 The panel detected that its main telephone connection is
trouble disconnected or is non-operational.
DMP WARNING: Telephone line 2 The panel detected that the second telephone connection is
trouble disconnected or is non-operational.
Event Type: User audit
Intrusion Panel Command Request A request was generated in the ACM application to update the
intrusion panel, area, zone or output configuration.
DMP Intrusion Panel 523

Event Description
Other supported events:
DMP ContactID, DMP Equipment Added, DMP Equipment Adjusted, DMP Equipment Removed, DMP
Equipment Repaired, DMP Equipment Replaced, DMP Equipment Test
DMP Intrusion User
Source Type: DMP Intrusion User
Event Description
DMP Access denied - anti- Door access in an anti-passback area was denied to a user (an identity
passback in ACM) who did not use the proper door to exit an area they had
previously accessed.
DMP Access denied - armed area Door access to an armed area was denied to a user (an identity in
ACM).
DMP Access denied - inactive Door access was denied to an inactive user (an identity in ACM).
user
DMP Access denied - invalid area Door access was denied to a user (an identity in ACM) trying to access
an area that is not assigned to their user code or profile.
DMP Access denied - invalid Door access was denied to a user (an identity in ACM) using an invalid
code user code, or if the two man (person) rule configuration is enabled, the
second code was not entered or the same code was entered twice.
DMP Access denied - invalid time Door access was denied to a user (an identity in ACM) trying to access
an area at a time that is outside all schedules in all profiles assigned to
the user.
DMP Access denied - invalid user Door access was denied to a user (an identity in ACM) trying to access
level/profile a door that is not enabled in any profile assigned to the user.
DMP Door access Door access was provided to a user (an identity in ACM).
DMP Holiday A change A holiday date, type A, was changed by a DMP user.
DMP Holiday B change A holiday date, type B, was changed by a DMP user.
DMP Holiday C change A holiday date, type C, was changed by a DMP user.
DMP Holiday change A holiday date was changed by a DMP user.
DMP Permanent schedule A permanent schedule was changed by a DMP user.

change
DMP Primary schedule change A primary schedule was changed by a DMP user.
DMP Intrusion User 524

Event Description
DMP Secondary schedule A secondary schedule was changed by a DMP user.

change
DMP Shift 1 schedule change A shift schedule was changed by a DMP user.
DMP User code added A user code was added by a DMP user.
DMP User code changed A user code was changed by a DMP user.
DMP User code deleted A user code was deleted by a DMP user.
DMP User code inactive For XR550 only. A user code expired after a period of inactivity.
DMP Intrusion Zone
Source Type: DMP Intrusion Zone
Event Description
DMP Dirty smoke detector A 'dirty smoke detector' service message was sent for the zone.
DMP Zone alarm A burgulary, carbon monoxide, fire, or generic alarm occurred in a
zone (for example, east warehouse).
DMP Zone bypassed A zone was bypassed by the DMP user.
DMP Zone failed A 'zone failed' message was sent for the zone.
DMP Zone faulted A 'zone faulted' message was sent for the zone.
DMP Zone force armed A 'zone force armed' message was sent for the zone.
DMP Zone low battery A 'low battery' message was sent for the zone.
DMP Zone missing A 'zone missing' message was sent for the zone.
DMP Zone reset A zone was reset.
DMP Zone restored A zone was restored to the expected condition from a bad condition.
DMP Zone tamper A 'zone tamper' message was sent for the zone (for example, a
wireless keypad tamper).
DMP Zone trip count The number of zone trips was sent for the zone.
DMP Zone trouble A 'zone trouble' message was sent for the zone (for example, a
wireless keypad tamper).
DMP Intrusion Zone 525

Event Description
DMP Zone verified A 'zone verify' message was sent for the zone.
Panel Events
Source Type: Panel
Communications
Panel offline The panel is offline. Mercury Security panel,

SALTO server, Schalge
ENGAGE gateway (RSI
mode)
Maintenance
Maximum panel schedule The maximum number of schedules configured ASSA ABLOY DSR,
count exceeded for a panel has been exceeded. Mercury Security panel,
SALTO server, Schlage
For Mercury Security and ASSA ABLOY IP-
ENGAGE gateway
enabled doors, the limit is 255 schedules. For
(IP and RSI mode)
Schlage IP/PoE mode doors, the limit is 16
intervals in all schedules combined. For SALTO
doors, the limit is 1024 schedules.
To resolve this issue, do any of the following:

l Assign fewer schedules to the panel.
l Identify unneeded schedules on the
Schedules tab on the panel page.
l Move hardware to a different or new
panel.
Panel Firmware Download A panel firmware download request has started Mercury Security panel
Started in the ACM application.
Panel Full Parameter A panel parameter download request has Mercury Security panel
Download Started started in the ACM application.
Panel Full Token Download A panel token download request has started in SALTO server
Started the ACM application.
Panel sync request A panel sync request has completed in the ACM SALTO server
completed application.
Panel sync request started A panel sync request has started (and not SALTO server
completed yet) in the ACM application.
Tamper
Panel Events 526

Panel transaction limit The maximum number of transactions Mercury Security panel
reached configured for the subpanel was reached.
SALTO Key Events

Source Type: Credentials
User Audit
Key Assignment completed A key was assigned to a token in the ACM system. SALTO doors
Key Assignment started A key assignment to a token was started in the SALTO doors
ACM system.
Key Cancelled A key was cancelled in the ACM system. SALTO doors
Key Update completed A key update was completed in the ACM system. SALTO doors
Key Update started A key update was started in the ACM system. SALTO doors
Subpanel Events
Source Type: Subpanels
Communications
Subpanel offline The subpanel is offline. Schalge ENGAGE gateway

subpanel (RSI mode)
System Events
Source Type: System
Event Description
CSR Created An SSL certificate signing request (CSR) was created in the ACM application.
Expired Transactions The expired transactions were removed from the appliance when the
Removed threshold was reached. For more information, see the Max Days Stored
setting.
New Cert Generated A new SSL certificate was generated in the ACM application.
New Cert Taken Into Use A new SSL certificate was applied to the appliance.
New Cert Uploaded - Failure The new SSL certificate was not uploaded to the appliance.
SALTO Key Events 527

Event Description
New Cert Uploaded - The new SSL certificate was uploaded to the appliance.
Success
Transaction log exceeded The transactions stored in the appliance have exceeded 85% of the
85% maximum stored transactions threshold.*
Transaction log exceeded The transactions stored in the appliance have exceeded 95% of the
95% maximum stored transactions threshold.*
Transaction log exceeded The transactions stored in the appliance were purged. For more information,
threshold see the Max Stored Transactions setting.*
* See also Appliance Transactions Indicators on page 47.
Enabling Debug Logs
Note: Enabling the appliance logs requires these delegations: Appliance Log, Appliance Log
Download, Appliance Log Show, and Appliance Log Update. Contact your support representative to
enable the Debug checkbox, if needed.
To debug using the appliance logs:
1. Select > Appliance and the Access tab.

2. Put a checkmark in the Debug checkbox next to the vendor.
3. Click .
See also Accessing Appliance Logs on page 370.

Appendix: pivCLASS Configuration
Note: Refer to this information only if you are installing ACM and are required to use the Federal
Information Processing Standard (FIPS) 140-2 certified cryptographic module and pivCLASS solution
for FIPS 201-2 certified sites.
Overview
This section is intended for ACM operators who are using the pivCLASS application, authentication module
(PAM) and pivCLASS readers to validate the authenticity of Personal Identification Verification (PIV) and PIV-
Interoperable (PIV-I) cards. The NIST cryptographic functionality enables ACM™ system to comply with FIPS
140-2 requirements.
The FIPS-certified crytographic module and pivCLASS readers are supported on all ACM platforms.
Prerequisites
Partners who install the pivCLASS application, authentication module (PAM) and pivCLASS readers are
recommended to take pivCLASS software and public key infrastructure (PKI) at the door certification training.
For more information, see Genuine HID Academy Learning Center.
Enabling FIPS 140-2 Encryption on ACM Appliances

Follow these steps if:
l If you are required to use ciphers that are certified as compliant with the Federal Information
Processing Standard (FIPS) Publication 140-2 (a U.S. government computer security standard used to
approve cryptographic modules, titled "Security Requirements for Cryptographic Modules").
l If you are using only door controllers that support the cryptographic module certified by the U.S.
government with the ACM system; see National Institute of Standards and Technology (NIST)
certificate #3661. Only Mercury LP-series controllers support this cryptographic module.
To enable FIPS 140-2 encryption on an ACM appliance:
Appendix: pivCLASS Configuration 529

1. On the Appliance page, select the Use FIPS 140-2 compliant ciphers only checkbox.
This setting is system-wide and triggers an automatic restart of the ACM appliance when it is selected.
When this checkbox is:
l Not Enabled (the default) — A cipher that is not FIPS compliant is used to encrypt traffic in the
ACM system.
l Enabled — The ACM system uses the ciphers supported by the NIST #3661 cryptographic
module. Only the ciphers covered by this certificate are used.
A warning message is displayed.
2. Click OK to confirm.
The ACM appliance is restarted, and now the ACM system is using the FIPS 140-2 encryption. No
additional steps are required to configure Mercury panels.
Enabling Large Encoded Card Format and Embedded

Authorization on Panels
Use the following fields when you add a panel to the ACM system, depending on the type of authentication in
use at your site.
Authentication Subsystem Enable Large Encoded Card Format Embedded Auth

None (uncheck) None
pivCLASS with external PAM (check) None
pivCLASS embedded AAM for (check) pivCLASS
Mercury LP4502 only
On the Panel: Add page:

l For Mercury LP4502 model only. In the Embedded Auth field, select pivCLASS. The Enable Large
Encoded Card Format field is automatically selected.
l For all other types of Mercury controllers. Select the Enable Large Encoded Card Format field (non-
reversible; see Note below):
o Used for internal numbers that are larger than 64 bits. For example, 128-bit and 200-bit cards
need the 32-character Federal Agency Smart Credential Number (FASC-N) or Card Holder
Unique Identifier (CHUID) for PIV-I cards. Large Encoded card formats are used with FIPS 201
certified pivCLASS readers; see Approved Product List (APL) #10122.
o Used typically to enable authentication by pivCLASS readers at FIPS 201-2 certified sites.
Note: The panel cannot be reconfigured after this setting is selected. To accept any other card
format other than large formats, delete it and re-add it to the ACM system.
Enabling Large Encoded Card Format and Embedded Authorization on Panels 530
Updating Firmware
To update the firmware of the Mercury LP4502 panel:
1. On the Panels list, select the panel and then on the Status tab, click Firmware.
2. To add support for the authentication module on the panel, install the pivCLASS-Embedded-Auth_
Pkg_05_10_27_#145.crc firmware version.
To remove the authentication module from the panel, install the pivCLASS-Embedded-Auth-
Removal_Pkg_01_00_00_#14.crc firmware version.
3. To verify the installation of the firmware, review the panel status page which shows the name and
version of the pivCLASS package along with the authentication module and firmware versions.
4. For pivCLASS embedded AAM for Mercury LP4502 only. After the firmware is installed, you must
configure communication between the panel and pivCLASS service. For more information about
configuring the pivCLASS-Embedded-Auth fields on the Configuration Manager for the panel, refer to
Mercury documentation.
Adding Doors
When adding a door with pivCLASS embedded AAM for the Mercury LP4502 model, do the following:
l Ensure the Name field is updated as follows. If your site uses pivCLASS-compliant credentials to
authenticate credentials, the Name of the door that you enter in the ACM system must match the
reader name entered in the Description field of the reader in the pivCLASS registration system. Before
adding doors, ensure you that you know the reader name entered in the pivCLASS registration
system, as they must be identical. For more information about pivCLASS-compliant registration
software, refer to pivCLASS documentation.
l Select the LP4502 panel name in the Panel field.
l Ensure the Assurance Profile field is updated as follows.
For LP4502 with AAM only; does not appear for external PAM. Select a pivCLASS security level
appropriate for the pivCLASS compliant door at the site; for example, CAK (PIV).
Each profile refers to a protected area that is defined by NIST SP 800-116, titled "A Recommendation
for the Use of PIV Credentials in PACS," and is secured by an identification method in accordance with
the FIPS 201 standard, titled "Personal Identity Verification (PIV) of Federal Employees and
Contractors."
For more information about each authentication method, refer to pivCLASS Service documentation.
l To support the selected Assurance Profile for a pivCLASS configured door, it is recommended to set
the Door Mode to Card Only. Note also, the Disabled, Unlocked and Locked No Access door actions
supercede the Assurance Profile.
Adding Reader Templates

When adding a reader template, do the following:
Updating Firmware 531

l Ensure the Baud Rate for the pivCLASS reader is updated as follows:
Note: It recommended to specify a Baud Rate that is higher than the default 9600 (default) rate and
to lower the baud rate, if reader issues occur. In addition, end users should hold the pivCLASS card
on the pivCLASS reader for more than 5 seconds for smooth operation.
Assigning Large Encoded Formats to Panels

If the Enable Large Encoded Card Format checkbox is enabled, the 128 bit Large Encoded and 200 bit
Large Encoded card formats are automatically generated for the panel:
l On the Door: Edit page, select the Operations tab and ensure a large encoded card format is assigned
to the panel in the Members box under Card Formats.
Viewing Identities and Tokens

When adding an identity, do the following:
Note: ACM identity management is not used to create pivCLASS users. However, you can view
identities and their tokens. You must use the pivCLASS registration system to add these identities in
the ACM system. For more information about using pivCLASS-compliant registration software to add
identities to the ACM system, refer to pivCLASS documentation. After these identities have been
added, they can be searched, edited and modified to provide physical and logical access. If
necessary, you can produce and print badges, assign to groups, roles, delegations, and so on, as
you can for any other identity.
When viewing a token for an identity the following fields are read-only:
l The Token Type field displays PIV for a Personal Identification Verification (PIV) card for government
employees or PIV-I for a PIV-Interoperable (PIV-I) card for government contractors.
l For PIV-I card only. The CHUID field displays the Card Holder Unique Identifier of the PIV-I card.
Monitoring Events
You can monitor pivCLASS events on the Monitor Events page.
Note: pivCLASS events may be configured from Physical Access > Events and searching on Name:
contains pivCLASS.
Assigning Large Encoded Formats to Panels 532

Glossary
2-person control
Under this rule, all access and actions requires the presence of two authorized
people at all times. Two people are necessary to either enter or exit a door.
ACM
Access Control Manager. Available in Enterprise, Enterprise Plus, Professional and

Virtual Appliance platforms.
Badge template
The format designed for a user badge on which information from the Identities
feature is placed. Templates are designed using the Badge Designer.
BLE
Bluetooth Low Energy, a wireless communication protocol.
CHUID
Card Holder Unique Identifier. Used in PIV-I cards.
CoS
Change of State
Debounce
Due to mechanical properties of a switch, when a switch is closed, there is a period

of time in which the electrical connection "bounces" between open and closed. To
a microcontroller, this "bouncing" can be interpreted as multiple button pushes. To
Glossary 533
suppress the "bouncing", the controller software is designed to anticipate it. This is
known as "debouncing a switch".
dogging
The action of turning the hex key and pressing the push bar to retract the latchbolt,
which unlocks the perimeter door on the outside and allows a person to enter the
building. Can be done remotely or manually.
Door contacts
Input devices that detect changes in door position. This is generally done by
measuring resistance across a circuit connecting part of the door jamb to the door
itself. If the door is opened, the resistance drops.
DPOS
Door position switch. These input devices are more commonly called door
contacts.
EOL
End-Of-Line (EOL) are resistors that supervise the wiring between the alarm panel
and the switch. Preset resistance levels must be maintained at input points or an
alarm event is triggered.
Failover
When an appliance fails, a configured standby appliance is able to automatically, or

manually, take its place so that the system can continue to run.
FAS-N
Federal Agency Smart Credential Number. A 32-character number generated for

FASC-N or CHUID for PIV-I cards.
FIPS
Federal Information Processing Standard. The U.S. government's security

standards for approving cryptographic modules and personnel identification
Glossary 534
methods. Only Mercury LP-series controllers with NIST certificate #2389 support
the cryptographic module. Compliance requirements include: FIPS Publication 140-
2 — a U.S. government computer security standard for approving cryptographic
modules, titled "Security Requirements for Cryptographic Modules"; FIPS
Publication 201-2 — a U.S. government standard for identifying federal government
personnel, titled "Personal Identity Verification (PIV) of Federal Employees and
Contractors."
Flow control
The process of managing the rate of data transmission between two nodes
to prevent a fast sender from over running a slow receiver.
Interlock
A defined action that occurs within a panel at a destination device whenever an

event occurs at the source device. For example, a REX input device (source);
receives a request to exit and passes the order to the door strike device
(destination); to open the door latch. For each interlock, a source and a destination
device (or group of devices) is defined.
LDAP
Lightweight Directory Access Protocol is an open, industry standard application

protocol for accessing and maintaining distributed directory information services
over a network. An LDAP database in the Access Control Manager system typically
includes user details, connected hardware details, events, alarms and other system
configuration details.
Mag Lock
Magnetic locks work only with DC current, usually 12 to 24 volts. Never connect a
magnetic lock to AC current of any voltage. All magnetic locks are fail safe. This
means that they need a constant source of current to remained locked. If power is
removed the lock will open. If this is a concern use a back-up power supply. All
magnetic locks are silent even when powered and locked. 300 pound pull
magnetic locks work well in light duty installations such as cabinetry.
Glossary 535
N
Netmask
In administering Internet sites, a netmask is a string of 0's and 1's that mask or
screen out the network part of an IP address(IP) so that only the host computer part
of the address remains. The binary 1's at the beginning of the mask turn the network
ID part of the IP address into 0's. The binary 0's that follow allow the host ID to
remain. A frequently-used netmask is 255.255.255.0. (255 is the decimal
equivalent of a binary string of eight ones.) Used for a Class C subnet (one with up
to 255 host computers), the \".0\" in the \"255.255.255.0\" netmask allows the
specific host computer address to be visible.
NIST
National Institute of Standards and Technology. The U.S. government's standards

body for approving software cryptographic modules in door controllers and
personnel identification methods. Standards include: NIST SP 800-116, "Using
Personal Identity Verification (PIV) Credentials In Physical Access Control Systems
(PACS)"; NIST SP 800-131A, "Transitioning the Use of Cryptographic Algorithms and
Key Lengths."
PACS
Physical Access Control System. An access control solution for securing people,
property and assets. ACM is a PACS.
Panel
Panels are controllers that connect to one or more doors (door controllers) and their
associated readers, inputs, and outputs.
PIV
Personal Identification Verification. A card issued to U.S. government employees

and includes FASC-N information.
PIV-I
PIV - Interoperable. A card issued to U.S. government contractors and includes

CHUID and FASC-N information.
Glossary 536
Postgres
An object-relational database management system (ORDBMS) available for many

platforms including Linux, FreeBSD, Solaris, Microsoft Windows and Mac OS X. Also
callsed PostgreSQL.
redundancy
see Failover
Replication
The process of copying and synchronizing the LDAP database between two or
more appliances so that they share the same configuration information.
REX
Request to exit. REX devices include crash bars and exit buttons.
RQE
Request to exit. Normally these are crash bars or buttons.
RTN
Return to normal. This is normally associated with an event that effectively cancels
an original event. For example, a door open too long event is canceled by a door
closed RTN.
SCP
Secure Copy Protocol is the most basic backup protocol and does not require much
adjustment before it can work properly. It can work effectively on Linux and other
Unix-like systems. To start work, its enough to install the SCP program on the server
and establish the connection.
SFTP
Secure File Transfer Protocol is a network protocol that provides file management
functionality over any reliable data stream. This protocol assumes that it is run over
a secure channel, such as Secure Shell Protocol (SSH), that the server has already
Glossary 537
authenticated the client, and that the identity of the client user is available to the
protocol.
SMTP
Simple Mail Transfer Protocol (SMTP) is an Internet standard for electronic mail (e-
mail) transmission across Internet Protocol (IP) networks.
SNMP
A UDP-based network protocol used mostly in network management systems to

monitor network-attached devices for conditions that warrant administrative
attention.
Strike
Electric strikes are often used for "buzz in" types of systems. Electric strikes come in
many varieties. They can be 12 or 24 volts or even higher voltage and they may
take AC or DC current and some even take both. They may be fail safe or fail
secure. A fail safe electric strike needs power to keep it locked. A fail secure
electric strike stays locked even without power. The most common by far is a fail
secure.
Subpanels
If your system supports a hierarchical structure, subpanels are specialty panels that
are controlled by a primary panel. One primary panel can be connected to a large
number of specialty subpanels, incorporating an array of devices such as single and
multiple door modules, keypads, input modules and output modules.
TLS
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are
cryptographic protocols which are designed to provide communication security
over the Internet.
Token
The entry data required to enable an employee or visitor to access a location. This
typically includes a PIN number and, if a physical badge or keycard is required, a
number on the card.
Glossary 538
U
undogging
The action of turning the hex key and releasing the push bar to extend the
latchbolt, which locks the perimeter door on the outside and prevents a person
from entering the building. Can be done remotely or manually.
Glossary 539

Acm 6.38.0 Admin Guide en

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Acm 6.38.0 Admin Guide en

Uploaded by

Copyright:

Available Formats

Admin Guide

Access Control Manager™

Motorola Solutions Inc.

ACM Release Description

ACM 6.38.0 Events for low system resources:

Bosch intrusion enhancements:

DMP intrusion enhancements:

Mercury LED Mode support for OSDP readers:

OSDP Tracing checkbox for OSDP readers:

Physical Access 142

Managing Appliances 342

Managing Collaborations 379

Setup & Settings 393

Priority Situations 458

Setting Personal Preferences 477

Permissions and Rights 486

Appendix: pivCLASS Configuration 529

1. Open your preferred browser.

The application's Home page is displayed.

Accepting the End User License Agreement

1. In the top-right, select > Appliance.

Now you can license and configure the ACM system.

Upgrading Your License Format

1. In the top-right, select >Appliance.

If you do not already have a license, purchase one from Avigilon.

1. In the top-right, select > Appliance.

1. In the top-right, select >Appliance.

A capabilityResponse.bin file should download automatically. If not, allow the download to

1. In the Add Licenses dialog, click Choose File.

Changing the Administrator Password

1. Click Identities and then Search.

Creating a Super Admin Identity

1. Click Identities and then Add Identity.

Changing the Administrator Password 26

6. Click and the Roles tab is automatically displayed.

Creating a Super Admin Identity 27

To view the events:

1. Select Monitor > Events.

Follow the steps below to pause and resume events.

1. Click Monitor to access the Monitor Events page.

View Live Video

View Recorded Video

Follow the steps below to view live video.

Only events or alarms with an icon will have video.

Create Event Notes

Follow the steps below to create event notes.

1. Click Monitor to access the Monitor Events page.

View Recorded Video 30

View Event Notes

Follow the steps below to view event notes.

View Event Instructions

View Event Identity Details

View Event Notes 31

View Event History

Change Events List Settings

1. Click Monitor to access the Monitor Events page.

Reconnect to Events List

View Event History 32

Searching for Events and Alarms

1. Select Monitor > Search.

2. Scroll to the bottom of the page and click the icon.

Figure 1: Search options

Searching for Events and Alarms 33